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Hidden  value  and 
the  multipurpose  peanut. 


Can  you  see  it? 


Patti  Lewis,  process  streamliner,  financial  industry 


The  peanut.  Long  before  peanut  butter,  peanut  oil,  peanut  dye  and  peanut  ink,  the  peanut  was  a  trash  crop.  Peanuts  were  planted  in  the 
American  South  to  replenish  soil  nutrients  sapped  by  cotton  cultivation.  Peanut  yields  were  plowed  under,  burned  or  fed  to  hogs. 

That  is,  until  a  man  named  Carver  came  along.  Little  did  he  know  it  at  the  time,  but  George  Washington  Carver  would  become  the  grand¬ 
father  of  hidden  value.  He  not  only  created  new  products,  new  industries  and  new  value,  but  he  almost  single-handedly  revitalized  the 
economy  of  the  South.  All  from  a  peanut. 

Where  is  the  peanut  in  your  business?  That  overlooked  or  unreachable  nugget  of  new  revenue  or  efficiency?  Chances  are,  you  need  to 
dig,  because  value  can  be  trapped  or  hidden  anywhere.  In  your  processes  (outdated,  rigid  hierarchies,  silos  and  workflows).  In  cultural 
ruts  (behavior  that’s  been  in  place  forever  and  is  resistant  to  change).  In  your  IT  (proprietary  systems  that  don’t  talk  to  each  other  or  to 
partners’  systems).  You  might  not  know  where  it  is,  but  one  thing  is  for  sure  —  it’s  there.  Somewhere.  Sometimes  you  just  need  to  take  a 
step  back,  to  take  a  closer  look.  Sometimes  you  need  a  second  opinion. 

On  demand  thinking  finds  hidden  value  by  looking  at  your  business  holistically,  looking  at  anything  that  could  benefit  from  tighter 
integration  —  organizational  integration,  cultural  integration,  technological  integration.  Failures  in  any  one  of  which  can  stifle,  pin  down 
or  hide  value,  even  if  the  others  are  working  well. 

So  start  small.  Unearth  the  value.  The  upside  could  be  huge.  Remember,  this  all  started  with  just  a  peanut. 

On  demand  business  starts  with  on  demand  thinking. 

Real  people  with  real  insights  and  the  resources  to  deliver  on  them.  Partners,  listeners,  problem  solvers.  Doers.  People  to  help  you 
evolve  your  thinking,  your  business  and  your  culture.  It  won’t  happen  overnight.  It  will,  however,  create  real  change  in  your  company. 

On  demand  business.  Get  there  with  on  demand  people.  Call  800  IBM  7080  (ask  for  thinking)  or  visit  ibm.com/services/thinking 


IBM  and  the  IBM  logo  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©  2003  IBM  Corp.  All  rights  reserved. 


Patti  Lewis,  process  streamliner,  financial  industry 


Microsoft’s  IT  and  employee  services  had  a  bright 
and  output  devices  worldwide.  Help  desk  calls  are 


Learn  more:  www.xerox.com/learn  For  a  sales  rep:  1-800-ASK-XEROX  ext.  LEARN 


©  2002  XEROX  CORPORATION.  All  rights  reserved.  XEROX?  The  Document  Company®  and  There's  a  new  way  to  look  at  it  are  trademarks  of  XEROX  CORPORATION. 

Microsoft,  the  Office  logo,  PowerPoint,  Word,  Excel,  Windows,  the  Windows  logo,  and  Windows  XP  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries. 


idea.  They  chose  Xerox  to  manage  their  imaging 
down.  So  are  costs.  There’s  a  new  way  to  look  at  it. 


The  Document  Company 

XEROX 


IBM’s  pitch  that  on-demand  e-business  will  reduce  IT  costs  and  make  every¬ 
thing  work  better  sounds  good,  especially  to  CEOs  who  don’t  understand  that 
the  technologies  to  make  it  happen  just  don’t  exist,  by  Christopher  koch 
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Features 

RISK  MANAGEMENT 
Playing  with  Fire  I  60 

IT  is  late  to  embrace  risk  analysis,  but  without  it,  project 
portfolio  management  is  nothing  more  than  a  fad. 

By  Scott  Berinato 


The  New  York  Times  Co.  CIO 
Michael  Williams  and  Janet 
Burns,  project  management 
director,  say  the  company's 
project  management  office 
changed  from  a  centralized 
one  to  a  virtual  one  that  is 
more  in  line  with  the  com¬ 
pany's  collaborative  culture. 


HEALTH-CARE  SECURITY 
Eight  (Not  So)  Simple  Steps 
to  the  HIPAA  Finish  Line  I  70 

While  much  of  the  new  security  rule  is  common  sense,  meeting  it 
by  the  2005  deadline  won’t  be  easy.  Here’s  a  checklist  to  ease  your 
heartburn.  By  Alice  Dragoon 

PROJECT  MANAGEMENT 
Office  Discipline:  Why  You  Need  a 
Project  Management  Office  I  82 

Companies  seeking  more  efficiency  and  tighter  monitoring 
of  IT  projects  are  opening  project  management  offices  in 
growing  numbers.  But  don’t  expect  a  quick  fix,  easy  metrics 
or  an  immediate  payback.  By  Megan  Santosus 

CASE  FILES  I  INTEGRATED  ENDEAVORS 
All  for  One  View  I  91 

By  having  its  employees  use  the  same  Web  interface  as  its  cus¬ 
tomers,  Vanguard  saved  itself  time,  money  and  the  hassles  that 
arose  from  a  classic  case  of  channel  inequality.  By  Alice  Dragoon 
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BETTER  MANAGEMENT  DOES. 

The  secret  to  a  secure  enterprise  lies  in  not  just  monitoring  the  parts,  but  managing  it  as  a 
whole.  That  s  exactly  what  eTrust  lets  you  do.  In  fact,  our  eTrust™  Security  Command  Center 
is  the  perfect  solution  to  security  information  overload.  It  gives  you  the  big  picture  from  a  single 
vantage  point,  with  all  your  event  information  prioritized.  So  you  can  identify  actual  internal 
and  external  threats  before  ley  can  wreak  havoc.  Anything  less  would  be,  well,  alarming. 


eTrust™ 


ACCESS  •  THREAT  •  IDENTITY 

SECURITY  MANAGEMENT  SOFTWARE 


■ ..  Ap'u  .er  Associate 


Computer  Associates 
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Your  priorities 
are  dear  now. 


Finally,  you  won’t  be  distracted  by  day-to-day  network  management  issues. 

With  NextiraOne  as  your  partner,  everything  about  your  networks  becomes  clear. 

And  your  job  does  too. 

At  NextiraOne,  we  bring  clarity  to  your  complex  communications  networks.  Whether 
we’re  planning,  designing,  implementing,  supporting  or  managing.  Whether  it’s  a 
voice,  data  or  converged  environment.  Whether  you’re  in  the  United  States  or  around 
the  world.  No  matter  what,  we  provide  the  expertise,  resources,  leadership  and 
vendor-independence  that  ensure  world-class  networks.  In  fact,  NextiraOne  is 
already  working  —  adding  clarity  —  at  almost  500,000  sites  worldwide. 

Frankly,  with  us  on  your  side,  your  job  will  never  be  the  same.  Instead  of  worrying 
about  the  complexities  of  your  network,  you  can  focus  on  things  that  are  clearly 
more  important.  Like  getting  more  for  your  IT  dollar. 


www.NextiraOne.com  (888)  398-0547 


Columns 

NET  GAINS 

Fundamentals  of  Value  I  34 

To  achieve  a  value  mind-set,  focus 
relentlessly  on  customers. 

By  Mohanbir  Sawhney 

PEER  TO  PEER 
How  to  Survive  in 
the  Public  Sector  I  38 

As  the  former  CIO  of  Wyoming  learned, 
it’s  not  easy  staying  on  top  of  the  political 
bull.  By  William  Campbell 


EMERGING  TECHNOLOGY 

Smooth  Talkers 

Until  recently,  organizations  tended  to 
shy  away  from  speech  integration  because 
of  the  technology’s  complexity  and  cost. 
Today,  preconfigured  speech  templates, 
drop-in  objects  and  other  packaged  tools 
make  speech  integration  development 
less  burdensome.  By  John  Edwards 


I  98 


THE  NEW  WORK  ORDER 
Withering  Heights  I  44 

We  thought  companies  would  want  to 
single  out  their  “high  end”  knowledge 
workers  for  special  treatment.  We  were 
wrong.  By  Tom  Davenport 

Sections 

TRENDLINES  I  18 

Wi-Fi  crime  fighters;  High  demands  of  on- 
demand  computing;  War  e-mail.  And  more 
BY  THE  NUMBERS  I  22 
When  it  comes  to  project  management 
offices,  clout  matters.  See  the  latest  research 
on  project  management  sponsorship. 


ON  THE  MOVE  I  26 

CIOs  on  the  go — see  where  your 
IT  peers  are  working  now. 

PROFILE:  Tracy  Austin’s  back  in  the  game. 

EMERGING  TECHNOLOGY  I  98 

Speech  integration  technology  gives 
customers  and  employees  convenient 
access  to  back-end  data. 

By  John  Edwards 

UNDER  DEVELOPMENT  I  104 

Hitachi’s  new  imaging  system  projects 
pictures  onto  nearly  invisible  glass. 

PUNDIT  I  106 

John  Parkinson  on  open-source  software. 


In  Every  Issue 

INDEX  i  no 

EXECUTIVE  SUMMARY  I  112 

Abstracts  of  all  the  feature  stories  found 
in  this  issue. 


“Whether  you  agree  with  the  concept  of  high-end 
workers  or  not,  all  knowledge  workers  are  not 
alike.  There  are  ‘sitters’  and  there  are  ‘movers.’ 
There  are  ‘talkers’  and  there  are  ‘thinkers.’” 

-Tom  Davenport,  New  Work  Order  columnist,  on  knowledge  workers  Page  44 
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What’s  driving  your  customers’  decisions? 
Acxiom’s  experience  helps  you  know. 


Acxiom®  gives  companies  the  ability  to  interact  with  their  customers  as  part  of  a  meaningful, 
ongoing  relationship.  Customers  are  more  than  just  a  name,  and  CRM  is  more  than  just  an 
acronym.  It’s  the  way  you’ll  do  business.  And  you’ll  do  it  with  a  partner  you  can  trust. 

We  provide  customer  and  information  management  solutions  that  work.  It’s  what  has 
made  us  a  trusted  partner  for  some  of  the  largest,  most  respected  companies  in  the  world 
-  companies  like  Nissan  North  America,  Charles  Schwab  &  Co.,  AT&T,  Sprint,  Reiman 
Media  Group,  Federated  Department  Stores  and  Rodale  just  to  name  a  few. 


Are  you  ready  to  grow  your  bottom  line  by  building  valuable  relationships  with  your  customers? 
Acxiom  is  ready  for  you.  Forming  a  great  relationship  with  us  puts  you  in  the  driver’s  seat  to 
experience  a  great  relationship  with  your  customers. 


1 • 800 •BE* PETTY 


Win  a  day  at  the  Richard  Petty  Driving  Experience. 
Visit  www.acxiom. com/petty  for  more  information. 


I-888-3ACXIOM 
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GREAT  RELATIONSHIPS" 


©  2003  Acxiom  Corporation.  All  rights  reserved.  Acxiom,  AbiliTec.  InfoBase  and  Solvitur  are  registered  trademarks  of  Acxiom  Corporation.  Great  Relationships  is  a  service  mark  of  Acxiom  Corporation.  All  other  trademarks 
and  service  marks  mentioned  herein  are  property  of  their  respective  owners. 


©  2003  Microsoft  Corporation  All  nghts  reserved  Microsoft.  Active  Directory.  Windows,  and  the  Windows  logo  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation 
in  the  United  States  and, 'or  othet  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


Securing  your  5,000-user  network  requires 


Introducing  Microsoft  Windows  Server  2003.  Do  more  with  less 


You’re  being  asked  to  do  more.  You’re  being  asked  to  do  it  with  less.  Microsoft  Windows  Server  2003  is  designed 
to  manage  these  opposing  forces  and  help  you  deliver  an  end-to-end  security  solution  with  less  time,  money, 
and  hassle.  Get  your  free  evaluation  copy  of  Windows  Server  2003  at  microsoft.com/windowsserver2003 
by  July  31.  2003.  Software  for  the  Agile  Business. 


QUALCOMM  Incorporated,  the  wireless  technology  leader,  built  their  secure  networking  and  communications  infrastructure 
on  Windows  Server  2003.  The  company  deployed  the  Active  Directory  service ,  Group  Policy,  and  network  security  features  to 
help  provide  secure  wireless  access,  remote  connectivity,  and  identity  administration  for  nearly  6,000  employees.  QUALCOMM 
anticipates  a  more  secure  infrastructure,  along  with  up  to  33%  lower  management  costs. 
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INTERACTIVE 

>reatures 

from  July  1  to  July  15 


Our  Daily  Web 

MONDAY  Tech  Tact 

Technology  Editor  Christopher 
Lindquist  covers  what's  coming. 


ASK  THE  SOURCE 


John  Kocon  on  the  Effective  PMO 


"You  have  to  really  understand  the  culture,”  says  John 
Kocon,  project  management  officer  at  Oregon  Health  & 
Science  University,  about  setting  up  a  PMO  that  really 
works  (see  Office  Discipline:  Why  You  Need  a  Project 
Management  Office,  Page  82).  Until  July  15,  you  can  ask 
Kocon  your  questions  about  how  to  set  up  a  PMO  and  how 
to  get  project  stakeholders  to  go  along  with  the  new  way  of  doing  things. 
Go  to  www.cio.com/ask  to  get  the  answers  that  you  need  from  Kocon. 


John  Kocon 


TEST  DRIVE  YOUR  RISK 

Try  a  Monte  Carlo 

In  Playing  with  Fire  (Page  60),  Senior  Editor  Scott  Berinato  introduces  CIOs  to  two  statisti¬ 
cal  tools:  Monte  Carlo  simulations  and  decision  tree  analysis.  If  you’re  just  itching  to  try  a 
Monte  Carlo  of  your  own,  we’ve  built  an  interactive  version  (requires  Flash)  so  that  you  can 
test  your  hand  at  risk  analysis.  Go  to  the  online  version  of  this  article  and  start  driving. 


ADD A COMMENT 

Think  You’ll  Get  Off  the  Hook? 

IBM’s  latest  TV  commercials  dabble  in  truth:  the  mess  that  IT  has  become  (see  IBM’s  New 
Hook,  Page  48),  but  says  its  “e-business  on-demand”  is  the  answer.  You  know  what’s  going 
on.  But  does  your  CEO  who’s  hell-bent  on  this— or  any— solution?  Even  IBM  says  that  on- 
demand  is  a  long-term  vision.  Is  IBM  going  to  get  you  off  the  hook  or  just  onto  another  one?  Go 
to  the  online  version  of  the  article,  and  give  us  your  two  cents  in  the  Add  a  Comment  section. 


More  Resources  Online 

Eight  (Not  So)  Simple  Steps  to  the  HIPAA  Finish  Line,  Page  70:  We  have  more  on 
how  hospitals  are  using  technology  to  comply  with  HIPAA  as  well  as  links  to  a 
summary  of  the  Security  Rule  and  other  HIPAA  resources. 

Playing  with  Fire,  Page  60:  You  can  download  the  Risk  Control  Form,  reprinted  from 
Waltzing  with  Bears.  We  also  have  a  case  study  of  one  IT  department’s  stab  at  risk 
analysis  as  well  as  three  books  you  need  to  get  started  with  risk. 

Peer  to  Peer:  How  to  Survive  in  the  Public  Sector,  Page  38:  For  more  on  the  trials  of 
public-sector  CIOs,  see  these  archived  stories— “From  Private  to  Public”  (May  15,  2003) 
and  "Dire  States"  (June  1,  2003). 


TUESDAY  Alarmed 

Security  experts  Sarah  D.  Scalet 
and  Scott  Berinato  give  you 
something  new  to  worry  about. 

WEDNESDAY  Metrics 

Web  Writer  Jon  Surmacz  makes 
sense  of  the  numbers. 


THURSDAY  Sound  Off 

Web  Editorial  Director  Art 
Jahnke  opines  on  managerial, 
political  and  ethical  dilemmas. 

FRIDAY  The  Big  Picture 

Charts  and  graphs  that  are 
worth  a  thousand  words. 

EVERY  WEEKDAY  The  News 

We  synthesize  the  top  IT  news 
stories  of  the  day. 


What’s  New  on  the  Web 

Looking  for  your  favorite  CIO 
columnists’  past  columns?  Now 
you  can  find  them  all  in  one  place: 

www.cio.com/columnists. 


Find  links  to  the  stories  mentioned  on  this  page  at 
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Dependable  technology  builds  confidence 


When  you  set  out  to  conquer  e-business  challenges,  success  or  failure  often  hinges 
on  your  technology  partner.  Consider  the  partner  that  4  out  of  5  FORTUNE  500® 
companies  already  trust:  Sterling  Commerce.  With  a  25-year  track  record  of 
helping  businesses  successfully  improve  performance  and  operating  metrics, 
no  partner  is  more  dependable  or  more  knowledgeable. 

Integrating  existing  processes?  Developing  new  ones?  Building  entire  electronic 
trading  communities?  Look  to  us  for  dependable  software  and  services. 

It's  all  a  matter  of  confidence. 


sterling  commerce 
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Senior  Production  Coordinator  Lisa  Stevenson 

EXECUTIVE  PROGRAMS 

EP  Senior  Vice  President  Jennifer  Richards 
Conference  Management  Vice  President  Cynthia  Mollus 
Marketing  Services  Director  Shellie  Rapson  James 


Business  Development  VP  John  Amato 
Program  Operations  Manager  Brian  Fuce 
Marketing  Manager  Glede  Kabongo 
Marketing  Services  Coordinator  Andrea  Slobogan 
Event  Development  Specialist  Sandra  J.  Hughey 
Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  Amy  Turell 
Senior  Customer  Services  Coordinator  Sarah  Yee 

MARKETING 

Executive  VP/Marketing  Cathy  O’Leary  Hayes 
VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate  Lori  Piscatelli 
Marketing  Research  Director  Bridget  Cammarata 
Marketing  Research  Manager  Carolyn  Johnson 
Sr.  Marketing  Research  Analyst  Dylan  DiGregorio 
Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist  Kari  Curto 
Marketing  Comm.  Associate  Sarah  Crowley 

ADMINISTRATION 

Manager  of  Finance  Margarita  Chiango 
Finance  and  Operations  Analyst  Chris  Bernardi 
Executive  Assistant  to  the  President  Diane  Martin 
Billing  Administrator  Joyce  Gillis 
Facilities  Specialist  John  Kelley 
Office  Services  Coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

Human  Resources  Vice  President  Patricia  Chisholm 
Human  Resources  Manager  Tanya  Bureau 
Human  Resources  Representative  Beth  S.  Ramistella 

FOUNDER 

Joseph  L.  Levy 


INTERNATIONAL  DATA  GROUP 

CEO  Pat  Kenealy 

Board  Chairman  Patrick  J.  McGovern 
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Pam  "black  and 
white  are  colors 
too"  Cali 


nl  was  never  against  the  idea  of  color  printers.  Color 
is  a  beautiful  thing.  I  just  had  a  problem  with  the  price 
tag.  But  Savin  showed  us  how  we  could  afford  color. 
Good  color.  Business  color.  This  system  does  it  all  — 
copies,  prints,  scans  to  file,  scans  to  e-mail.  All  in 
color.  All  without  messing  up  the  network.  It's  almost 
as  if  the  Savin  C3210  was  custom-made  just  for  us!' 

See  what  Savin  can  do  for  you  at  www.savin.com 

531/m  works  here. 


I  AM  A  CISCO  1200 
SERIES  DUAL 
BAND  WI-FI 
ACCESS  POINT 


\ 


I  AM  70  MORE 
MINUTES  OF 
PRODUCTIVITY  PER 
EMPLOYEE  PER  DAY 

I  AM  A  CISCO  WIRELESS  NETWORK.  I  HAVE  THE  POWER  TO 
CONNECT  EMPLOYEES  TO  VITAL  DATA  WHEREVER  THEY  ARE. 
AND  DO  IT  SECURELY.  THAT  SAVES  TIME.  THAT  SAVES  MONEY. 
THAT  IS  POWERFUL.  I  AM  MORE  THAN  A  CISCO  1200  SERIES 
DUAL  BAND  WI-FI  ACCESS  POINT. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  IIOW. 


cisco.com/mobilitynow 


Cisco  Systems 


'  2003  Cisco  Systems,  Inc.  All  rights  reserved.  Cisco  Aironet.  Cisco  Systems  and  the  Cisco  Systems  logo  are  registered  trademarks  or  trademarks  of  Cisco  Systems.  Inc. 

U.S.  and  certain  other  countries. 


FIREWORKS  shows 
have  always  been  about 
two  things:  lighting  up  the  night  sky 
With  brilliant  colors,  and  booming 
explosions  that  scare  kids  out  of  their 
wits.  Behind  the  scenes,  though,  much 
has  changed.  It’s  safer,  for  one  thing, 
(No  more  lighting  fireworks  shells  by 
handheld  flares.)  And  pyrotechnicians 
employ  computers  to  coordinate  their 
displays  and  the  accompanying 
celebratory  music.  The  advancements 
in  electronics  and  computerization  has 
sparked  a  revolution  in  pyrotechnics, 
says  Felix  Grucci,  a  partner  in  Fireworks 
by  Grucci,  which  has  been  lighting  up 
the  skies  since  1850, 

“We  have  it  down  to  tenths  of  a 


and  the  music,"  Grucci  says.  Grucci's 
company  handled  the  pyrotechnics  at 
the  past  six  presidential  inaugurals, 
v  f>  the  Salt  Lake  City  2002 
x  N  '  f  '  '  Winter  Olympics, 
v  x  andisontapto 

»  '  ,  '  /  ~  -  run  fireworks 

'  '  showsin 

<4  ,  *  *  '  \  '  'v  morethan 

/  "  *1  i'  \  75  cities  this 

/  t  )  \  July  Fourth. 

T  Jl  in'  -Tom  Wailgum 


Wi-Fi  Crime  Fighters 


That’s  why  the  police  in  Post  Falls,  Idaho, 
a  town  of  20,000,  is  using  802.11  wireless 
technology,  popularly  known  as  Wi-Fi,  which 
offers  much  faster  speeds.  It’s  also  much 
cheaper.  “The  cellular  carriers  were  unable 
to  provide  an  [unlimited-use]  plan  we  could 
afford,”  says  Lt.  Scot  Haug,  who  manages 
the  department’s  IT  group.  The  Wi-Fi  deploy¬ 
ment  cost  $208,000,  about  three  years’ 
worth  of  cellular  charges,  he  says. 

The  town  has  covered  more  than  50 
square  miles  with  23  access  points,  providing 
90  percent  availability  for  roaming  officers, 
Haug  says.  Using  a  combination  of  unidirec¬ 
tional  and  omnidirectional  antennas  and 
amplifiers,  the  access  points  have  a  5-mile 
range,  depending  on  the  terrain,  he  notes. 
The  system  was  completed  in  April. 

With  an  all- 8 02. 11  network,  Haug  has  a 
lot  of  bandwidth  to  exploit,  so  he’s  imple¬ 
menting  voice  over  IP,  e-mail  and  remote- 
controlled  video  cameras  over  the  network 
for  use  in  22  patrol  cars.  “This  is  the  next 
frontier  in  wireless,”  says  Mark  Lowenstein, 
managing  director  of  Mobile  Ecosystem. 
“Presenting  Wi-Fi  as  the  last-mile  access  has 
been  a  very  nichey  thing,  [but]  it’s  the  wave  of 
the  future,”  adds  Kathryn  Korostoff,  presi¬ 
dent  of  Sage  Research. 

For  the  Post  Falls  P.D.,  the  biggest  secu¬ 
rity  concern  is  that  others  will  tap  into  the 

Continued  on  Page  20 


Sgt.  Pat  Knight  of  the  Post  Falls,  Idaho,  Police 
Department  uses  a  laptop  with  a  Wi-Fi  connec¬ 
tion  to  communicate  with  headquarters. 


FOR  SEVERAL  YEARS,  police  departments 
have  used  low-bandwidth  wireless  systems 
to  check  on  suspect  IDs  and  vehicle  license 
plates.  Cellular  carriers  are  now  promoting 
faster  technologies,  the  so-called  third-gener¬ 
ation,  or  3G,  networks  such  as  general  packet 
radio  service  (GPRS)  that  offer  modem-like 
speeds.  But  that’s  still  not  enough  for  trans¬ 
mitting  photos  or  case  records. 
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PHOTOS  RIGHT  BY  PHOTODISC 


To  me,  success  is  a  35  minute  lunch. 


At  a  restaurant,  not  my  desk. 


Means  I'm  not  wasting  time  doing  the 


same  data  management  task  again  and 


again  and  again  and. ..well, you  get  it. 


Save  the  day. 


Consolidate  your  work  by  consolidating  data  from  all  your  different  systems.  One  way  is  with  a  V2X  Shared  Virtual  Array™  subsystem 
and  SnapVantage™ software  to  unite  all  your  Linux  virtual  servers.  Or  an  L5500  automated  tape  library  and  T9940B  tape  drive.  There 
are  other  ways,  too.  We'll  help  find  the  one  that's  best.  So  storage  administration  takes  a  smaller  bite  out  of  your  day.  Learn  more 
about  this  story  and  other  ways  we  can  help  you  at  www.savetheday.com  STORACETEK *  Save  the  Day.™ 

mm 
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Wi-Fi  Crime  Fighters 

Continued  from  Page  1 8 

network  to  access  police  and  city  systems,  or 
simply  to  tap  into  a  free  citywide  network, 
which  could  cause  congestion  that  interferes 
with  police  access,  Haug  says.  To  keep  out 
snoopers,  the  department  enabled  all  the 
built-in  encryption  in  its  Wi-Fi  network, 
including  wired  equivalency  protocol  (WEP), 
and  is  using  128-bit  software  encryption, 
dynamically  rotating  keys,  proprietary  com¬ 
pression  and  certificates-based  encryption. 

Another  need:  By  law,  police  must  be  able 
to  audit  communications  to  verify  who 
accesses  the  system  at  all  times.  The  stan¬ 
dard  approach  of  using  dynamic  IP  addresses 
makes  it  impossible  to  track  the  user’s  chang¬ 
ing  IP  addresses  for  use  in  such  audit  trails, 
says  Mel  Nottage,  director  of  The  Network 
Group,  a  consultancy  in  Coeur  d’Alene, 


Why  Wi-Fi 


Wi-Fi  is  faster  than  other 


wireless  protocols.  Here’ 
how  long  it  takes  to  transmit  a  300KB 
image  using  three  wireless  standards: 


TECHNOLOGY 


DOWNLOAD  SPEEDS 


802.11b  (Wi-Fi) 


0.5  to  2.3  seconds 


3G  cellular  (GPRS, 
CDMA2000  lxRTT) 


24  to  48  seconds 


CDPD  cellular  (used 
by  most  police) 


up  to  6  min.,  40  sec. 


J 


Idaho,  that  implemented  the  Post  Falls 
802.11  network.  To  maintain  a  fixed  IP 
address  for  roaming  users,  Nottage  had  to 
manipulate  the  network  at  the  radio,  net¬ 
work  and  presentation  layers  to  handle  the 
hand-offs,  he  says.  The  department  uses 
Seattle-based  NetMotion  Wireless’s  Mobil¬ 
ity  management  and  security  suite  to  handle 
the  roaming  between  access  points.  NetMo¬ 
tion  Mobility  reauthenticates  users  as  they 
switch  access  points  and  resumes  any  inter¬ 
rupted  sessions.  -Galen  Gruman 


HISTORICAL 

RECORDS 

E-Mail 
from  the 
Iraqi  Front 


(ifo,  Beautiful 

Well,  Love,  things  continue  to  happen 
here.  To  include  the  wonderful 
weather  we  are  currently  experienc¬ 
ing.  Sweetheart,  if  you  ever  want  to 
live  anywhere  close  to  a  desert  (even 
Vegas  or  Rio),  you'll  have  to  live 
alone. 


SOLDIERS’  LETTERS  written  during  the  Civil 
War  are  perfectly  preserved  in  museums  and 
private  collections.  World  War  II  writings  from 
the  front  are  the  stuff  of  books.  But  100  years 
from  now,  will  our  descendants  be  able  to 
read  e-mails  from  soldiers  who  fought  in  Iraq? 

Organizations  that  specialize  in  archiving 
memorabilia  from  U.S.  wars  are  emerging  to 
do  just  that,  collecting  these  transmissions 
to  and  from  the  Iraqi  conflict  by  American 
soldiers  and  their  families. 

Early  this  year,  when  it  was  clear  war  with 
Iraq  was  likely,  Beth  Inman,  curator  of  history 
at  the  South  Carolina  Confederate  Relic 
Room  &  Museum,  and  her  colleagues  began 
a  project  called  “Write  from  the  Front," 
asking  military  families  to  copy  the  museum 
on  e-mails  sent  during  the  war  (see  more  at 
www.state.se.  us/err/ write_  from.htm ) . 

“We  knew  if  we  waited  until  the  war  was 
over,  a  lot  of  the  messages  would  be  deleted,” 

Inman  says.  So  far,  90  families  have  shared 
their  e-mails,  with  some  family  members 
“cc’ing”  the  museum  on  their  e-mails. 

Writer  and  historian  Andrew  Carroll  of  The 
Legacy  Project  ( www.warletters.com )  also 
began  seeking  e-mails  from  soldiers  in  Iraq  as  soon  as  the  conflict  began.  Carroll,  who 
edited  the  book  War  Letters:  Extraordinary  Correspondence  from  American  Wars  (Scribner, 
2001),  directs  The  Legacy  Project,  a  national,  all-volunteer  effort  that  seeks  to  save  the 
wartime  letters  of  American  soldiers. 

“The  best  understanding  we  have  of  what  it’s  like  to  be  in  a  war  is  from  letters  from 
people  who  are  in  the  eye  of  the  storm,”  Carroll  says.  (Above  is  an  excerpt  of  an  e-mail  in  The 
Legacy  Project,  from  Capt.  Scott  C.  Smith  of  the  101st  Airborne  to  his  wife,  1st  Lt.  Kelly  Smith 
of  the  568th  engineering  company.) 

Carroll  says  the  irony  in  communications  advances  is  that  technologies  that  followed 
paper  and  ink  are  harder  to  save  for  posterity.  Many  Vietnam  War  soldiers  taped  audio 
messages,  and  Gulf  War  soldiers  from  the  early  ’90s  made  videotapes  for  loved  ones.  But 
few  are  accessible  today,  either  because  the  formats  to  play  the  recording  no  longer  exist  or 
the  tape  media  has  disintegrated. 

Carroll  acknowledges  that  e-mail  is  a  valuable  way  for  people  across  the  world  to 
communicate  quickly  and  to  share  messages  with  many  family  and  friends.  “Yet  we  have 
handwritten  letters  from  the  Civil  War  that  are  as  bright  and  clear  as  the  day  they  were 
written,”  Carroll  adds.  -Cate  Coulacos  Prato 


Ifs  strange  planning  these  types  of 
operations  when,  technically,  we're 
still  at  peaoe.  I  feel  confident  as  do 
the  boys.  Most  of  my  guys  are  new. 
Sometimes  they  seem  "bothered”  by 
classes  or  training  when  it  cuts  into 
Spades  or  sleep  time.However,  they 
are  eager  to  "get  it  on"  so  we  can  get 
it  over  with  and  go  home.  Did  I 
mention  how  much  I  miss  you?  Every 
day,  Love,  everyday. 

Love, 

"Me" 

SCOTT  C.  SMITH 
CRT,  IN 
Platoon  Les 
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Build  a  scalable 
data  warehouse 
with  a  single 
point  of  control. 


SAS®  provides  a  high-impact,  low-risk  way  to 
achieve  intelligent  data  warehousing.  You  can 
extract,  transform  and  load  data  from  any  source, 
across  any  platform,  while  assuring  quality.  Simplify 
the  way  you  create  and  customize  reports.  And 
deliver  a  shared  version  of  the  truth.  To  find  out 
how  top  companies  reap  bottom-line  rewards 
with  SAS  software -by  leveraging  the  value  of 
data  from  corporate  systems,  e-business  channels, 
the  supply  chain  and  beyond -visit  us  on  the  Web 
or  call  toll  free  1  866  270  5727. 

www.sas.com/warehouse 


The  Power  to  Know* 
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©  2003  SAS  Institute  Inc.  All  rights  reserved.  232130US.0503 


trendlines 


When  It  Comes  to  PMOs, 
Clout  Matters 


Best  Practices 

To  position  your  PMO  at  the  highest 
level,  you  must  sell  it  to  the  board. 
Here  are  your  arguments: 


SENIOR-LEVEL  SPONSORSHIP  and 

visibility  are  keys  to  a  successful  project 
management  office.  A  recent  study  of 
303  organizations,  conducted  by  CIO  and 
the  Project  Management  Institute,  found 
that  67  percent  of  companies  today  have 
project  management  offices,  or  PMOs. 
Those  companies  that  have  a  senior-level 
executive  who  oversees  the  PMO  reported 
greater  project  success  rates  (projects 


completed  on  time,  on  budget  and  with  all 
the  original  specifications)  than  those 
without  a  PMO  czar.  PMOs  that  were  formed 
at  a  corporate  level— establishing  processes 
for  the  entire  company— were  also  taking  on 
a  greater  number  of  the  company’s  proj¬ 
ects,  and  the  projects  managed  were  larger 
in  terms  of  dollars  invested.  (For  more  on 
PMOs,  see  “Office  Discipline:  Why  You  Need 
a  Project  Management  Office,”  Page  82.) 


PMOs  Should  Aim  High 

The  higher  the  PMO  resides  in  the  organization,  the  fewer  the  problems  reported. 
Survey  respondents  identified  the  PMO’s  level  within  their  companies  and  then 
cited  the  problems  that  exist  there. 


Problem:  Project  not  supported  by  senior  executives 


Corporate  level 

28% 

Division  level 

Business  unit  level 

25% 

35% 


Problem:  Lack  of  authority 

Corporate  level 
Division  level 
Business  unit  level 


34% 

47% 

1  49% 


Problem:  Conflict  over  project  ownership 

28% 


Corporate  level 


Division  level 

Business  unit  level 

* 

39% 


37% 


Definition  Box 


CORPORATE  Defines 


project  management  prac¬ 
tices  for  the  enterprise. 


DIVISION  Defines  project 


management  practices 
for  entire  division  of  an 
organization. 


BUSINESS  UNIT/FUNCTION 


Defines  project  management 
practices  for  a  particular  unit  or 
function,  like  marketing  or  IT. 


“You  have  to  have  a  PMO  champion  from  the  senior 
ranks.  PM  directives  are  louder  and  clearer  coming 

from  a  senior  sponsor.”  -John  Bisack,  partner,  Integrated  Management  Services 


PMO  as  communication  tool. 

Senior  managers  usually  hear 
about  projects  that  go  wrong.  The 
Project  Management  Institute’s  Lew 
Gedansky  suggests  that  PMO  heads 
maintain  a  consistent  flow  of 
communication  to  senior  executives 
and  report  both  successes  and 
problem  areas. 

The  PMO  will  keep  projects  on  time 
and  on  budget.  Some  of  the  survey 
respondents  reported  resistance  to 
attempts  to  implement  any  serious, 
rigorous  project  management 
discipline  (like  standard  project 
tracking,  reporting  and  post¬ 
completion  audits  from  employees 
in  the  various  business  units). 
“People  resist  project  management 
practices  because  they  don't  see  the 
value  at  first  or  they  think  they're 
giving  up  control  or  freedom  of  a 
project,”  said  Gedansky.  Make  sure 
your  PMO  communicates  that  it  is 
providing  the  framework  and 
methodology  for  project  manage¬ 
ment,  which  allows  the  end  user  to 
focus  on  the  project  itself.  “Project 
management  skills  also  make  the 
employee  more  valuable  to  the 
company,”  Gedansky  adds. 

Come  to  the  table  with  reinforce¬ 
ments.  Gedansky  suggests  that 
PMO  heads  create  committees  that 
include  senior  managers  who  are 
affected  by  the  particular  project. 
These  groups  can  reduce  barriers  to 
the  PMO  effectiveness  and  make 
decisions  about  resources  and 
funding  for  their  projects. 
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It's  time  for  the  death  of  fingerpointing. 


1  wireless  vendor  + 1  wireline  vendor  + 1  problem  =  multiple  places  to  place  blame.  That's  when  problems 
can  really  multiply.  And  that's  time  for  Sprint.  Sprint  built  its  wireline/wireless  network  from  the  ground  up. 
Designed  it  specifically  for  greater  reliability  and  security.  We  stand  behind  it.  And  our  industry-leading 
SLAs  back  it  up.  Let  us  show  you  how  end-to-end  accountability  works.  Especially  if  you  have  a  network 
that  doesn't.  It's  time  for  Sprint.  Go  to  sprintbiz.com/time,  or  call  1 866  831-2935. 
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One  Sprint.  Many  Solutions." 
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Internet  Services 
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INTERNET 


ACCESS 


On  Second  Thought... 

IT  WOULD  HAVE  made  an  interesting  patent  application. 

High-speed  Internet  access.  Webpages  viewed  through  a  plasma  flat- 
panel  display.  All  for  public  use  at  festivals  and  other  events  where  crowds 
gather  and  have  certain,  well,  needs. 

Microsoft  even  had  the  press  release  ready  to  go  on  what  its  British 
division  dubbed  the  iLoo,  a  proposal  designed  to  install  Internet  access  in 
portable  public  toilets—a  sort  of  portal  potty. 

But  soon  after  word  of  the  iLoo  leaked  to  the  press,  Microsoft  ended  up 
flushing  the  idea.  The  project  was  “basically  a  tongue-in-cheek”  campaign 
meant  to  follow  up  similar  initiatives  such  as  the  Internet-enabled  “MSN  park 
bench”  where  the  public  was  offered  free  Net  access,  a  spokeswoman  said. 

The  media  was  confused  about  whether  the  iLoo  concept  was  real  because 
the  idea  was  leaked  before  the  program  was  finalized.  “We  regret  that  the  press 
release  was  distributed  before  the  program  was  finalized  and  apologize  for  any 
confusion  that  has  resulted,”  a  Microsoft  statement  said.  -Scarlet  Pruitt 


SECURITY  SYSTEMS 

Airport  Tests 
Thermal  Imaging 

IN  THE  CONTROL  TOWER  at  Logan  International  Airport,  an 
oversized  computer  monitor  shows  the  airport  tarmac  below  as 
it  appears  through  the  eye  of  a  thermal  imaging  camera.  It  is  a 
landscape  of  muted  grays  punctuated  by  the  white  of  an  engine’s 
exhaust  as  a  small  passenger  jet  taxis  to  a  terminal. 

The  thermal  imaging  camera  and  the  software  that  runs  it  are 
part  of  a  new  test  program  to  find  technology  that  toughens  the 
airport’s  security  by  automatically  detecting  intruders,  according 
to  Dennis  Treece,  director  of  corporate  security  for  the  Massachu¬ 
setts  Port  Authority  (Massport),  the  state  agency  that  runs  Logan. 

The  source  of  two  flights  involved  in  the  9/11  terrorist  attacks, 
Boston's  Logan  has  become  an  early  adopter  of  security  technol¬ 
ogy,  installing  new  baggage-screening  systems  and  testing 
biometric  authentication  systems. 

The  system  couples  VistaScape  Software’s  Security  Data 
Management  System,  billed  as  physical  security  integration 
software,  with  infrared  cameras  from  Flir  Systems.  The  VistaScape 
software  analyzes  a  video  image  stream  from  the  cameras  atop 
Logan’s  control  tower.  Abnormal  movements  or  objects  show  up 
on  a  PC  screen  as  potential  threats.  While  guarding  against  the 
remote  threat  posed  by  terrorists,  the  cameras  will  help  Massport 
stay  on  top  of  more  mundane  intruders  such  as  graffiti  artists  and, 
possibly,  rats  in  some  of  the  tunnels  beneath  the  airport. 

"This  is  designed  to  save  man  power,  saving  us  from  having 
soldiers  or  police  line  up  shoulder  to  shoulder  along  the  beach,” 
Treece  says.  -Paul  Roberts 


APPLICATION  DEVELOPMENT 

The  High  Demands  of 
On-Demand  Computing 

JOEL  GRUBER,  CIO  of  RouteOne,  a  startup  joint  venture 
backed  by  the  American  Big  Three  automakers  and  Toyota,  is 
living  the  highest  order  on-demand  dream.  (For  more  on  on- 
demand  dreams  and  realities,  see  “IBM’s 
New  Hook,”  Page  48.)  Gruber  is  build¬ 
ing  a  fast,  flexible  business  process  that 
will  consolidate  all  the  different  credit 
application  processes  of  the  automakers 
and  some  participating  banks  so  that  car 
dealers  can  enter  a  customer’s  informa¬ 
tion  once  and  know  if  a  loan  is  accepted 
from  all  the  different  companies.  No 
rekeying  for  each  credit  application. 

The  business  payoff?  Speed.  Dealers 
can  get  a  customer’s  name  on  a  contract 
before  he  can  change  his  mind  and  walk  out  of  the  dealership. 

But  it  hasn’t  been  easy.  The  technology  for  making  a  single 
unit  of  customer  information  cross  the  Internet  and  interact 
with  different  computer  systems  that  all  have  different  lan¬ 
guages  and  formats  is  still  complex.  RouteOne’s  system  relies  on 
applications  written  in  Java  and  IBM’s  Websphere  application 
server.  And  he  notes  making  the  technology  work  is  not  easy. 

“I’m  continually  impressed  by  the  effort  and  expense 
required  to  do  this  kind  of  application  development,”  says 
Gruber,  who  has  25  people  working  full  time  on  the  applica¬ 
tion’s  development  and  deployment. 

Part  of  the  complexity,  according  to  Gruber,  is  the  Java  pro¬ 
gramming  language  itself,  which,  while  powerful  and  scala¬ 
ble,  exposes  to  developers  a  lot  of  programming  complexity 
that  is  hidden  in  more  mature  environments. 

Another  difficulty  is  Web  services.  Gruber’s  team  has  to 
keep  an  eye  on  constantly  evolving  standards  while  program¬ 
ming  the  application.  “You  have  to  have  a  pretty  good  idea  of 
where  the  technology  is  headed  while  you’re  designing  the 
application,”  says  Gruber.  “I  need  to  have  someone  keeping  an 
eye  on  the  standards.  I  have  to  have  a  lot  of  high-powered, 
high-priced  people  working  on  this.  It’s  daunting.” 

Just  as  daunting,  he  says,  is  nailing  the  requirements  for  a 
process  that  crosses  the  borders  of  big  auto  companies  and 
large  banks.  Their  parallel  processes  for  credit  applications  all 
differ  slightly.  Just  setting  up  the  governance  model  for  the  joint 
venture  and  getting  IT  employees  on  loan  from  the  different 
car  companies  took  three  months,  he  says.  It  has  taken  his  team 
a  year  to  arrive  at  a  process  that  all  the  companies  can  accept. 

Gruber  is  confident  that  the  new  application  will  be  a  hit 
with  dealers  when  it  goes  live  this  summer,  but  he’s  left  with  the 
feeling  that  collaborative  business  processes  need  to  be 
improved.  “They  have  to  make  it  easier  for  guys  like  me  to  do 
this,”  he  says.  -Christopher  Koch 
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AVAVA 

a  higher  plane 
of  communication 


SAY  THE  BUSIEST  CONTACT  CENTER  at 

Dana  Brake  &  Chassis*  crashes  and  is  fixed 

remotely  before  a  single  customer  order  is 

dropped.  Before  anyone  at  Dana  is  even  aware 

of  a  problem.  Did  a  problem  ever  exist?  In  the 

state  of  Avaya,  our  EXPERT  Systems™  remote 

monitoring  and  maintenance  solutions  resolve 

96%  of  all  alarms  remotely.  Nobody  has  our 

patented  leading-edge  diagnostic  tools,  including 

proactive  trouble  resolution.  And  our  Avaya  Global 

Services  professionals  bring  a  single  point  of 

accountability  to  multi-vendor  communication 

environments.  That’s  reassuring  when  you’re  a 

Fortune  500®  company  whose  customers  demand 

overnight  delivery  from  an  inventory  of  450,000 

auto  parts.  See  why  no  one  else  comes  remotely 

close  to  maximizing  your  network  investment  at 

avaya.com/services.  Or  call  866-GO  AVAYA  today. 
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Contact  Centers 

Unified  Communication 

Services 
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On  the  Move 


By  Meridith  Levinson 


Role  Reversals 


SEVERAL  COMPANIES  HAVE  recently  put 
their  finance  executives  in  charge  of  IT. 
Waste  Connections  is  just  one  of  them. 
Last  April,  the  Folsom,  Calif.-based  dis¬ 
posal  company  named  its  Vice  President 
and  Chief  Accounting  Officer  Michael  Foos 
as  its  first-ever  CIO.  Other  companies  in 
which  the  bean  counters  have  recently 
taken  over  IT  responsibilities  include  Cen¬ 
tral  Bancorp,  Harmon  Auto  Glass  and 
Somnus  Medical  Technologies  (see  “Here 
Come  the  Chief  Everything  Officers”  at 
www.  do.  com/printlinks ) . 

Of  course,  this  executive  role-sharing  is 
a  two-way  street — CIOs  have  become 
CFOs  as  well.  Ulf  Nilsson  served  as  CIO  of 
Volvo  Truck  in  1996  before  becoming  the 
company’s  CFO  a  year  later.  James  Yost 
was  first  a  CIO  at  Ford  before  he  was 
named  executive  director  of  finance.  More 
recently,  Thomas  Fanning  was  the  CIO  of 
the  Southern  Co.  before  he  took  over  the 
CFO  and  treasurer  positions  with  the 
energy  company  last  March. 

Even  when  they’re  not  directly  in  charge 
of  IT,  CFOs  are  increasingly  in  charge  of 
CIOs.  In  the  April  1,  2003,  State  of  the 
CIO  issue  (see  “What  You  Have  to  Say” 
at  www.do.com/printlinks),  CIO  found 
that  twice  as  many  CIOs  report  to  the 
finance  chief  this  year  as  compared  with 
last  year.  No  one  knows  that  better  than 
Mostafa  Mehrabani  (left),  the 
former  CIO  of  defense 
company  TRW,  who  joined 
McGraw-Hill  last  March  as 
executive  vice  president  of 
information  management 
and  CIO.  He  now  reports  to  the  $4.8  bil¬ 
lion  publisher’s  executive  vice  president  and 
CFO,  Robert  J.  Bahash. 

Other  CIOs  such  as  Robert  Slotnick  and 
Rick  Schach  are  happy  to  take  on  addi¬ 
tional  responsibilities  beyond  IT  and 


finance  to  bring  additional  value  to  their 
positions.  Slotnick,  who  was  promoted  to 
senior  vice  president  and  CIO  of  Perfor¬ 
mance  Food  Group  last  May,  was  also  put 
in  charge  of  constructing 
new  facilities  for  the  pri¬ 
vate-label  food  distributor. 
That  same  month,  Schach, 
vice  president  and  CIO  of 
utility  company  Vectren, 
added  the  title  vice  president  of  energy 
delivery  to  his  business  card. 


More  CIOs  Get  on  Board 

Despite  the  seemingly  incessant  chatter 
about  CFOs  taking  over  IT,  the  business 
world  obviously  still  holds  the  CIO  in  high 
regard.  Two  renowned  brand-name  com¬ 
panies  appointed  CIOs  to  their  boards  of 
directors  last  April.  Hershey  Foods  named 
Harriet  Edelman,  CIO  of  Avon  Products,  to 
its  board  of  directors  on  April  22,  2003. 
Two  days  later,  Toys  “R”  Us  elected  Cinda 
A.  Hallman  (left),  the  former  CIO  of  DuPont 
and  current  CEO  of  IT  services  company 
Spherion,  to  its  board.  (To  read  more  about 
CIOs  serving  on  corporate  boards,  see  “Get 
on  Board”  at  www.do.com/printlinks.) 
That  just  proves  the  world  is  chock-full  of 
opportunities  for  good  CIOs. 


PROFILE:  BACK  IN  THE  GAME 
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TRACY  AUSTIN  doesn’t  care  to  reminisce  about  her  17 
years  with  Harrah’s  Entertainment,  the  Las  Vegas-based 
casino  company  for  which  she  created  the  famous  Total 
Rewards  loyalty  program.  “It's  old  news,”  she  says. 

In  June  2001,  she  left  her  position  as  vice  president  of 
IT  development  for  Harrah's  because  “I  really  wanted  to 
do  something  different,”  says  the  44-year-old  Austin. 

That  “something  different”  turned  out  to  be  working  as 
an  independent  consultant,  which  is  what  many  IT  execs 
do  when  they  tire  of  their  current  jobs  but  aren’t  certain 

of  their  next  move.  For  a  year  and  a  half,  Austin  worked  with  gaming,  hospitality  and 
IT  companies  on  their  CRM  and  IT  leadership  initiatives. 

While  Austin  was  consulting  with  the  Mandalay  Resort  Group,  helping  the 
$2.3  billion  company  extract  greater  returns  from  its  investments  in  IT  infrastruc¬ 
ture  and  an  Epiphany  CRM  system,  the  company  offered  her  a  permanent  position. 
On  March  3,  2003,  she  became  the  first-ever  CIO  for  Mandalay,  which  operates  15 
U.S. -based  properties  including  Mandalay  Bay,  the  Excalibur  and  the  Luxor. 

Even  though  she’s  returned  to  familiar  territory,  Austin  faces  new  challenges. 
First  and  foremost,  she's  trying  to  familiarize  herself  with  her  new  company’s  day- 
to-day  operations.  At  the  same  time,  she’s  being  careful  to  not  get  bogged  down  in 
the  daily  minutiae  for  fear  that  constantly  putting  out  fires  would  prevent  her  from 
achieving  the  goal  she’s  set  for  her  70-person  IT  group:  to  be  known  for  sound 
management  and  HR  practices,  determined  focus  on  ROI,  and  being  responsive  to 
Mandalay’s  fluctuating  business  and  IT  needs.  She  is  lucky,  she  says,  because  she 
is  the  company's  first  CIO.  No  one  has  any  preconceived  notions  about  what  she 
should  be  doing  or  how  she  should  be  doing  it. 
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REAL-TIME  BUSINESS  ISN’T 

JUST  ABOUT  GETTING 
INFORMATION  FASTER. 


IT’S  ABOUT  MAKING  SURE 
YOUR  BUSINESS  CAN 

TAKE  ADVANTAGE  OF  IT. 

In  a  true  real-time  business,  everything  moves 
faster.  Your  data  is  always  where  and  when 
it's  needed.  You  coordinate  activities  and 
automate  processes  end  to  end.  You  enjoy 
greater  visibility  and  understanding.  And  you 
have  the  ability  to  drive  your  business  with 
new  immediacy. 

TIBCO  Software's  proven  integration 
solutions  enable  real-time  business.  By 
unifying  and  optimizing  your  existing 
assets — people,  processes  and  legacy 
systems — you  can  do  more  with  what 
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you  already  have.  And  do  it  better.  It's  what  we  call  The  Power 
of  Now!”  Our  unbiased,  independent  approach  and  easily- 
deployed  integration  solutions  can  help  you  grow  your  business 
even  in  today's  difficult  environment. 

As  the  world's  leading  independent  integration  software  provider, 
TIBCO  has  helped  more  than  2,000  companies  take  advantage  of 
real-time  business.  Discover  how  you  can  put  The  Power  of  Now  to 
work.  Call  888-558-4226  or  visit  us  at  www.tibco.com/cic 


REAL-TIME  IN  ACTION:  DELTA  AIR  LINES 


Delta  Air  Lines  partnered  with  TIBCO  to 
create  the  Delta  Nervous  System,  which 
connects  Delta's  13  business  units  and  30 
databases,  and  handles  more  than  5  million 
daily  business  events. 

“The  ability  to  share  information  with  our 
employees  and  customers  in  real-time,  and 
to  automate  how  we  share  it,  has  allowed 
us  to  transform  our  business,  improve 
customer  service,  and  reduce  costs.” 


The  Power  of  Now™ 


— Curtis  Robb,  Delta  Air  Lines  CIO, 
Delta  Technology  CEO 


www.mscsoftware.com 
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THE  BITTER  TRUTH  IS  THAT 

NOBODY 

CARES 

HOW  YOU  GET  THE  END  RESULT, 
JUST  THAT  YOU  DO. 


When  your  software  fails,  do  they  care?  When  you 
discover  your  systems  are  totally  inadequate,  are 
they  understanding?  Of  course  not. 

You  need  someone  to  be  there  with  you  from  A 
to  Z.  We're  here.  We  know.  We  understand.  If  it's 
important  to  you,  it's  important  to  us.  Because 
they  only  care  about  one  thing....  and  so  do  we. 
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HANDHELD  APPLICATIONS 


Emoting?  Tap  Here 


PDAS  HAVE  EMERGED  as  the  saving  grace  for  psychologists  who  study 


people’s  moods. 

Since  the  1940s,  researchers  conducting  so-called  diary  studies  have 
asked  participants  to  record  their  many  moods  with  pencil  on  paper.  Now 
subjects  can  tap  on  words  like  amused  or  relieved  to  record  their  emo¬ 
tions  with  stylus  on  handheld  computer  screen. 

There’s  a  triple  benefit:  First,  participants  like  using  PDAs  more  than 
paper.  Second,  it’s  easy  to  tabulate  results.  And  third,  the  time-stamped 
entries  are  more  accurate,  says  Eshkol  Rafaeli,  a  New  York  University 
postdoctoral  fellow  who  coauthored  the  study  “Diary  Methods:  Capturing 
Life  as  It  Is  Lived”  ( Annual  Review  of  Psychology,  2003). 

instead  of  spending  10  hours  a  day  for  months  entering  and  recheck¬ 
ing  data  manually,  researchers  can  quickly  download  the  information 
onto  their  PCs.  And  they  know  for  sure  when  a  person  answered  a  ques¬ 
tion  and  how  long  it  took. 

The  time  stamp  is  crucial  to  Lisa  Feldman  Barrett,  a  Boston  College 
psychology  professor.  The  PDAs  tell  Barrett  how  long  her  subjects  took  to 
respond:  if  some  adjectives  were  checked  off  quickly,  that  person  may  be 
more  aware  of  his  feelings.  “Being  precise  about  your  emotions  helps  you 
to  regulate  your  feelings  and  have  strong  social  relationships,  and  it 

improves  work  efficiencies,”  she  says. 
About  five  years  ago,  Barrett 
and  her  software  engineer 
husband  developed  freeware 
called  the  Experienced 
Sampling  Program  (ESP, 
available  at  www2.bc.edu/ 
barretli/esp/index.html ). 

ESP  can  randomize  answers 
(it's  boring  for  a  study 
subject  if  35  emotions,  from 
"active”  to  “calm,”  look  the 
same  12  times  a  day  for  a 
month)  and  beep  the 
participant  when  it’s  time 
answer. 

Future  enhancements 
may  depend  on  grant 
funding.  Barrett  says 
that  could  hinder  how 
quickly  her  PDA  appli¬ 
cation  progresses: 
ideas  for  future  projects 
include  recording 
connections  between  a 
person’s  feelings  and 
his  heart  rate,  or  even 
his  facial  expressions 
and  voice. 

-Sarah  Johnson 


This  Date  in 
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Computer  Export  Ban  Lifted 

1989  The  U.S.  Commerce 
Department  announces  on 
July  18  the  lift  of  trade  sanctions  of 
midlevel  PCs  with  the  Communist 
bloc.  The  Soviet  Union  and  China 
are  importing  equivalent  systems 
from  Brazil,  India  and  Taiwan,  and 
existing  export  rules  prevent  U.S. 
companies  from  profiting  in  the 

region.  The  decision  opens  the  doors  for  American  comput- 
ermakers  to  market  midlevel  desktops,  laptops  and  other 
portable  computers  to  the  previously  restricted  region.  The 
move  comes  after  years  of  stringent  trade  controls  on  such 
computer  systems  sales.  Defense  Department  officials  object 
to  the  move,  calling  it  a  threat  to  national  security.  Dick 
Cheney  (above  in  1989),  President  George  H.W.  Bush’s 
defense  secretary  at  the  time,  says,  “This  will  give  [the 
Communist  bloc]  a  computer  capability  that  has  military 
applications  that  should  be  avoided.”  Pentagon  officials 
contend  that  the  computers  available  to  their  Cold  War 
counterparts  far  exceeds  the  capacity  of  U.S.  government 
systems.  Four  months  later,  the  Berlin  Wall  falls. 


Other  Notable  Events 
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Microsoft  releases  the  first 
version  of  Windows  in  1985. 

The  operating  system 
struggles  to  work  with  low- 
power  PCs  of  the  day. 


5 


Lotus  acquiesces  to  IBM's 
$3.52  billion  takeover  bid  in 
1995.  It’s  the  largest  software 
acquisition  ever. 
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A  plant  worker  in  Jackson, 
Mich.,  becomes  the  first  victim 

of  a  robot-related  fatality  when 
he  is  pinned  against  a  safety  bar 
by  a  factory  robot  in  1984. 

Bill  Gates,  Microsoft’s 
chairman  and  CEO,  names 

Steve  Ballmer  the  company’s 
president  in  1998. 
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In  1962,  a  glitch  in  the 
guidance  program  code  of  the 


Mariner  1  sends  the 
unmanned  interplanetary 
spaceprobe  flying  off-course. 
NASA  destroys  the  craft  less 
than  five  minutes  into  flight. 


26 


In  1989,  a  grand  jury  indicts  a 
Cornell  student  under  the 
Computer  Fraud  and  Abuse 
Act  of  1986  for  deploying  a 
virus  that  shut  down  comput¬ 
ers  at  NASA,  Purdue  and  the 
Wright- Patterson  Air  Force 
Base.  He  is  the  first  person 
prosecuted  under  the  1986 
law.  He  is  later  fined  and 
sentenced  to  probation  and 
community  service. 

-Daniel  J.  Horgan 
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Confessions  of  the  World's  Most  Demanding  CIOs. 


"  In  a  word,  I  need 
fasterbettercheaper." 

"It's  what  travelers  want,  too.  Faster-better-cheaper  drives  our 
businesses — from  Travelocity-  to  managing  vital  systems  for  the  world's 
airlines.  We  process  travel  transactions  by  the  hundreds  of  millions. 

Which  means  analyzing  billions  of  fare  combinations  across  countless 
route  alternatives,  and  doing  it  in  seconds. 

"HP  came  in  and  made  faster-better-cheaper  a  reality  for  us.  Their 
team  designed  an  open  solution  that  delivers  business  continuity  and 
horizontal  scaling  across  multiple  platforms.  High-end,  fault-tolerant 
resources  are  focused  on  critical  processes.  Other  tasks  get  passed  off 
to  cost-efficient  systems.  And  HP  is  accountable  for  it  all. 

"We've  doubled  productivity,  our  cost  of  ownership  is  way  down  and 
we  consistently  find  the  lowest  fare  more  often  than  our  competitors. 

Sum  that  up  in  one  word." 

Sabre  Holdings  demands  more  from  IT  and  HP  makes  sure  they  get  it. 


=  everything  is  possible 


www.hp.com/go/demandmore 


invent 


Confessions  of  the  World's  Most  Demanding  CIOs. 
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"CIBC  requires  rock-solid  reliability.  Our  customers  trust  us  with 
billions  in  assets,  which  fuel  both  their  business  and  personal  ambitions. 
Our  IT  has  to  ensure  their  money  is  secure  and  always  available. 

yyWeyre  always  looking  for  ways  to  push  harder  and  get  more  out  of 
IT.  We  have  a  mixed  environment— from  handhelds  to  mainframes  — 
and  we  require  a  strategic  partner  to  make  it  all  work  together,  to 
make  it  invincible. 

"HP  Services  came  in,  looked  at  our  entire  IT  environment,  and 
together,  we  designed  the  right  outsourcing  solution  that  cut  costs, 
limited  risk  and  has  ultimately  made  us  more  flexible." 

CIBC  demands  more  from  IT  and  HP  makes  sure  they  get  it. 


=  everything  is  possible 


www.hp.com/go/demandmore 
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Fundamentals 

of  Value 

To  achieve  a  value  mind-set,  focus  relentlessly  on  customers 

BY  MOHANBIR  SAWHNEY 

THE  MISSION  OF  THIS  COLUMN  has  been  to  help  readers  understand 
how  to  create  value  through  IT.  For  the  past  year  and  a  half,  I 
have  shared  my  ideas  about  how  value  is  created,  defined, 
measured,  captured  and  sustained.  I  hope  that  my  ideas  have 
made  a  difference.  I  am  now  beginning  work  on  a  new  book 
about  customer  value,  so  this  will  be  my  last  column.  For  my 
closing  piece,  I  thought  I  would  synthesize  the  ideas  I  have 
written  about  in  CIO  by  reflecting  on  the  nature  of  value. 

Here  are  seven  fundamental  lessons  I  have  learned  in  my 
decade-long  career  as  an  academic  researcher,  consultant  and 
teacher. 

1.  Value  is  customer-defined.  Never  forget  that  value  is 
defined  by  those  who  use  IT  and  those  who  pay  for  it.  To 
understand  the  true  nature  of  value,  you  need  to  get  inside  the 
minds  and  hearts  of  your  customers,  whether  they’re  internal  or 
external.  Define  value  using  their  vocabulary,  not  the  “feeds 
and  speeds”  that  you  may  be  comfortable  with.  For  CIOs,  that 
means  learning  the  language  of  CFOs,  who  think  about  return 
on  assets,  ROI  and  net  present  value,  and  of  business  executives, 
who  define  value  in  terms  of  shareholder  value,  inventory  turns 


and  customer  churn.  Vendors  must  communicate  the  value  of 
their  products  not  in  terms  of  what  these  products  do,  but  what 
they  do  for  customers ,  expressed  in  a  language  that  customers 
can  relate  to.  Concepts  like  “utility  computing”  and  “business 
agility”  may  be  catchy  vendorspeak,  but  these  abstract  ideas 
need  to  be  made  concrete  and  relevant  for  specific  customers 
and  vertical  markets. 

2.  Value  is  opaque.  An  important  consequence  of  value 
being  defined  by  customers  is  that  it  is  very  difficult  to  quan¬ 
tify.  As  I  have  argued  in  previous  columns,  to  quantify  value, 
you  need  to  understand  all  factors  that  customers  take  into 
consideration  in  assessing  value,  and  you  have  to  understand 
the  relative  importance  that  customers  place  on  each  factor.  In 
the  absence  of  this  understanding,  you  are  shooting  in  the 
dark.  You  need  to  develop  robust  customer  value  models  that 
are  calibrated  with  data  collected  from  customers.  Once  you 
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understand  the  factors  that  specific  customers  consider  when 
making  decisions,  and  how  they  make  trade-offs,  you  can 
develop  a  better  understanding  of  the  value  propositions  that 
might  appeal  to  each  one. 

3,  Value  is  multidimensional.  A  common  myth  in  business 
is  that  IT  investment  decisions  are  made  solely  on  functional 
value — a  product’s  features  and  functionality.  Value  has  two 
other  dimensions  as  well:  economic  value — what  these  fea¬ 
tures  and  functions  are  worth  to  customers  in  terms  of  time 
and  money;  and  psychological  value — the  emotional  benefits 
that  customers  get  from  your  products  or  your  company.  Con¬ 
sider  the  value  proposition  of  HP’s  Pocket  PC-based  PDA. 
According  to  HP,  the  benefits  of  the  iPaq  are  its  powerful 

As  IT  becomes  an  enabler  of  business 
agility  and  competitive  advantage,  we  need 
to  move  the  dialogue  away  from  cost  alone  to 
the  business  value  of  IT. 

processor,  bright  screen,  expandability  and  flexibility — a  state¬ 
ment  of  functional  value.  But  to  close  a  sale,  HP  must  also 
demonstrate  economic  value  with  quantified  estimates  of 
improved  productivity  for  end  users  as  well  as  application 
developers.  And  HP  must  convince  customers  of  the  emo¬ 
tional  benefits  of  choosing  a  device  platform  that  is  backed  by 
reputable  and  financially  solid  companies  such  as  HP  and 
Microsoft.  Functional  value  is  a  starting  point,  but  you  need 
to  translate  it  into  economic  value.  And  you  need  to  get 
beyond  the  “arms  race”  of  functional  differentiation  by  devel¬ 
oping  emotional  appeals  that  are  far  more  sustainable  than 
today’s  latest  feature.  Consider  IBM’s  famous  proposition: 
“Nobody  ever  got  fired  for  buying  IBM.” 

4.  Value  is  a  trade-off.  Value  is  the  perceived  worth  of 
something  in  relation  to  the  total  cost  that  customers  pay  for 
it.  This  definition  underscores  the  fact  that  value  is  a  trade-off 
between  costs  and  benefits.  I  have  been  a  strident  critic  of 
measuring  IT  value  in  terms  of  total  cost  of  ownership  (TCO). 
TCO  is  a  vestige  of  the  days  when  IT  was  a  utility  in  the  back 
office  to  be  managed  at  the  lowest  possible  cost.  As  IT  becomes 
an  enabler  of  business  agility  and  competitive  advantage,  we 
need  to  move  the  dialogue  away  from  cost  alone  to  the  busi¬ 
ness  value  of  IT.  I  applaud  the  work  of  Gartner  and  other  IT 
consultants  to  define  what  Gartner  calls  the  total  value  of 
ownership.  By  focusing  on  total  value,  you  can  evaluate  IT 
investments  as  a  trade-off  between  the  value  created  by  the 
investment,  relative  to  the  total  costs  that  you  can  expect  to 
incur. 


5.  Value  is  contextual.  You  cannot  divorce  the  value  of  an 
IT  system  from  the  context  in  which  it  will  be  used.  Consider 
the  purchase  of  a  laptop  computer.  A  salesperson  who  is  on  the 
road  a  lot  and  needs  to  communicate  constantly  with  the  home 
office  will  place  great  value  on  portability  and  connectivity. 
On  the  other  hand,  a  design  engineer  in  the  same  company 
who  uses  the  laptop  for  computer-aided  design  and  works  out 
of  the  same  office  every  day  will  value  graphics  performance 
and  display  quality.  Unless  you  understand  the  end-usage  con¬ 
text,  you  run  the  risk  of  creating  value  propositions  and  offer¬ 
ings  that  are  irrelevant  for  customers. 

6.  Value  is  relative.  Customers  never  assess  value  of  an  offer¬ 
ing  in  isolation.  They  always  consider  value  relative  to  alterna¬ 
tives.  These  alternatives  may  not  be  other  products  or 
systems,  but  other  ways  of  accomplishing  the  same  goals 
or  doing  nothing  at  all.  An  enterprise  that  is  evaluating  a 
CRM  system  to  lower  customer  support  costs  and  to 
improve  customer  retention  may  consider  outsourcing 
customer  care  to  offshore  locations  instead.  When  evalu¬ 
ating  whether  to  upgrade  a  company’s  desktop  PCs,  the 
CIO  may  consider  putting  off  the  decision  for  another 
year.  It  pays  to  understand  who  or  what  you  are  up 

against  because  this  is  the  frame  of  reference  that  your  customers 
use  to  evaluate  your  value  proposition.  By  understanding  com¬ 
peting  alternatives,  you  will  also  be  able  to  focus  on  points  of  dif¬ 
ferentiation  relative  to  these  options  and  ignore  points  of  parity 
that  clutter  and  dilute  your  value  proposition. 

7.  Value  is  a  mind-set.  Value-based  management  is  more 
than  models  or  processes.  The  value  mind-set  is  grounded  in 
the  belief  that  the  sole  purpose  of  a  company  is  to  create  value 
for  its  customers  and  to  be  compensated  equitably  for  its 
efforts.  Therefore,  everything  the  company  says  and  does 
should  revolve  around  its  customers — not  its  products.  This 
is  a  radical  shift  in  perspective,  and  few  companies  truly 
embrace  this  idea  despite  their  claims  of  being  customer- 
focused. 

In  stormy  economic  seas,  value  can  serve  as  an  anchor  by 
reminding  you  that  every  initiative  you  engage  in  should  be 
grounded  in  a  clearly  articulated  customer  value  proposition. 
If  you  focus  relentlessly  on  defining  value  as  customers  do, 
designing  your  offerings  based  on  what  customers  value,  and 
measuring  your  performance  in  terms  of  the  value  that  cus¬ 
tomers  experience,  you  will  find  your  destination.  Good  luck 
on  the  journey.  E3E] 


Does  value  anchor  your  business?  Write  netgains@ 
cio.com.  Mohanbir  Sawhney  is  the  McCormick 
Tribune  Professor  of  Technology  at  Northwestern 
University's  Kellogg  School  of  Management.  He  can 
be  reached  at  mohans@kellogg.northwestern.edu. 
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Howto 
Survive  in  the 
Public  Sector 

As  the  former  CIO  of  Wyoming  learned, 
it’s  not  easy  staying  on  top  of  the  political  bull 

BY  WILLIAM  CAMPBELL 

IN  GRADUATE  SCHOOL,  THEY  TEACH  you  that  the  principles  of  sound 
information  systems  management  are,  like  the  laws  of  physics, 
valid  throughout  the  universe.  My  experiences  in  the  private 
sector  seemed  to  bear  this  out,  as  time  after  time  the  lessons 
learned  in  one  assignment  proved  useful  in  the  next.  So  when 
I  was  hired  to  develop  and  implement  a  formal  IT  program 
for  the  executive  branch  of  government  of  a  large  western  state, 
it  seemed  reasonable  to  infer  that  my  17  years  in  IT  manage¬ 
ment  would  provide  solid  footing  for  doing  some  truly  ground¬ 
breaking  work  in  state  government.  Silly  me. 

State  government  turned  out  to  be  unlike  anything  I  had 
done  before.  Things  were  done  according  to  unfathomable 
unwritten  rules  I  didn’t  understand,  and  my  intuitive  problem¬ 
solving  “compass”  kept  getting  me  lost.  I  soon  realized  that 
leading  IT  reform  in  state  government  requires  decidedly  dif¬ 
ferent  characteristics  than  those  found  in  the  private  sector.  So 
for  the  benefit  of  those  considering  a  job  in  the  public  sector, 
here  are  some  differences  you  should  know  about  beforehand. 
Organizational  turbulence  can  be  high  in  state  government, 


especially  in  the  wake  of  an  election.  I  was  hired  by  one  gov¬ 
ernor  and  three  months  later  found  myself  working  for 
another — one  who  disliked  and  distrusted  his  predecessor  and 
valued  information  technology  very  little.  Several  agency  direc¬ 
tors  had  participated  in  my  hiring  and  gave  me  verbal  assur¬ 
ances  of  support  and  assistance.  Within  a  few  weeks  of 
inauguration  day,  however,  all  but  one  were  gone,  and  I  found 
myself  without  a  constituency.  The  merits  of  my  proposed 
reforms  were  rock  solid:  a  process  for  converging  toward  a 
single  enterprise  architecture,  a  mechanism  for  sound  financial 
controls,  a  structure  for  correcting  the  vendor  abuses  of  the 
past,  estimated  cost  savings  of  $70  million  per  biennial  budget 
period  and  so  on.  The  program  was  designed  to  skyrocket 
Wyoming’s  Digital  State  ranking  from  dead  last  to  middle  of  the 
pack  in  about  1 8  months,  and  give  the  governor  and  the  legis¬ 
lature  unprecedented  visibility  into  IT  activity  and  spending. 
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Even  so,  the  new  governor  had  no  interest  in  my  reforms,  and 
for  several  months  I  wandered  around  like  a  rain-soaked 
orphan,  looking  for  someone  to  adopt  me.  Potential  state  CIOs 
should  evaluate  the  likely  longevity  of  their  future  bosses  before 
jumping  in,  especially  if  elections  are  imminent. 

Grandstanders  Need  Not  Apply 

To  sell  my  program,  I  knew  I  would  have  to  build  as  broad  a 
support  base  as  I  could  outside  the  statehouse.  I  put  together  a 
high-octane  presentation,  driving  home  the  business  advan¬ 
tages  of  the  program.  I  then  got  in  front  of  as  many  decision¬ 
makers  as  I  could  to  pitch  it.  The  cabinet-level  agency  directors 


tives  can  simmer  year  after  year,  and  eventually  pass  in  the 
third  or  forth  year.  One  staffer  told  me  that  a  bill  had  been 
introduced  in  Wyoming’s  2003  legislative  session  merely  to 
gain  momentum — to  “clear  the  stubble,”  as  he  put  it — for  rein¬ 
troduction  the  next  year.  Hired  in  September  2002, 1  was  dis¬ 
tressed  to  learn  that  the  first  opportunity  for  submitting 
enabling  legislation  for  the  new  IT  management  program  (to 
formally  establish  the  required  organizations  and  provide  fund¬ 
ing)  would  be  in  2004!  Not  exactly  nimble. 

If  you  are  a  dogged  kind  of  manager  who  doesn’t  mind  the 
long  haul,  state  government  may  be  a  fit.  If  pulse-pounding 
impatience  characterizes  your  management  style,  you  will  prob¬ 
ably  give  yourself  a  heart  attack. 


Everything  in  state  government  is  political  and 
immovably  grounded  in  “turf.” 


proved  to  be  a  receptive  audience  and  a  good  source  of  support 
to  counterbalance  the  absence  of  the  governor’s  sponsorship. 

In  the  private  sector,  the  merits  of  a  compelling  idea  or  the 
support  of  a  powerful  sponsor  are  sometimes  all  that  are 
required  to  keep  an  initiative  alive.  But  in  state  government, 
compromise  is  the  fuel  of  forward  motion.  For  me,  the  ulti¬ 
mate  example  of  this  was  how  the  Wyoming’s  executive  branch 
agencies  came  together  to  craft  a  governance  structure  to  man¬ 
age  the  state’s  IT  program.  IT  activity  had,  for  many  years, 
been  almost  completely  decentralized,  and  initiatives  were 
planned  by  the  various  agencies.  Collaboration  was  rare,  and 
redundancy  of  staffing  and  platforms,  duplication  of  develop¬ 
ment  efforts,  and  unmanaged  spending  were  apparent  every¬ 
where.  Until  the  office  of  the  CIO  began  pulling  the  numbers 
together,  no  one  in  Wyoming  imagined  that  the  state  had  more 
than  900  people  working  full-time  in  IT  and  that  total  budget 
authority  for  IT-related  items  exceeded  $200  million  per  two- 
year  budget  cycle — an  eye-opener  in  a  state  with  a  total  bien¬ 
nial  budget  of  only  $4.3  billion. 

Bit  by  bit,  we  began  collaboratively  constructing  a  gover¬ 
nance  model  that  accommodated  the  priorities  of  all  partici¬ 
pating  parties.  In  the  end,  the  governance  structure  that  took 
shape  was  a  “federated”  arrangement  that  shared  authority 
between  the  CIO  and  a  body  representing  the  executive  branch 
agencies.  This  was  a  first  for  Wyoming,  and  compromise  was 
the  principle  that  made  it  possible. 

While  corporations  like  to  be  thought  of  as  nimble  on  their 
feet,  state  governments  are  fine-grinding  and  don’t  have  the 
financial  flexibility  for  quick  changes.  Budget  planning  begins 
at  least  a  year  in  advance  of  spending — usually  more — and 
some  budget  cycles  are  two  years  in  duration.  Moreover,  with 
legislatures  calling  the  shots,  nothing  is  certain.  Some  initia¬ 


Politics  Rule 

Everything  in  state  government  is  political, 
tightly  wrapped  in  sticky  issues  of  influence 
and  immovably  grounded  in  “turf.”  I  have  lost 
track  of  the  number  of  meetings  that  started  off  with  a  caveat 
such  as,  “we  need  to  take  off  our  agency  hats  and  put  on  our 
Wyoming  hats.”  That  said,  the  meeting  would  then  be  spent  in 
incessant  and  elegant  maneuvering  for  turf.  I  actually  have  been 
greatly  encouraged  to  find  a  number  of  managers,  mostly  tech¬ 
nologists,  willing  to  suspend  their  personal  loyalties  in  pursuit 
of  the  greater  good.  But  it  would  be  naive  to  forget  that  those 
individuals  are  exceptions  to  the  rule. 

Sometimes,  in  spite  of  all  you  do,  politics  prevail.  Our  labo¬ 
riously  crafted  IT  program,  for  example,  was  swapped  away  in 
a  horse  trade  among  elected  officials  in  order  to  keep  the  peace 
in  the  statehouse.  The  elected  state  auditor  saw  the  entire  IT 
reform  effort  as  an  incursion  into  his  turf  and  began  maneu¬ 
vering  for  its  derailment.  The  governor  who  hired  me  provided 
strong  political  cover  to  get  the  program  started,  but  the  new 
governor  was  not  so  astute.  He  finally  gave  in  to  the  auditor’s 
incessant  lobbying  and  surrendered  control  of  the  executive 
branch  IT  program  to  him.  Again  at  the  auditor’s  insistence,  the 
governor  fired  me  and  appointed  a  replacement  of  the  auditor’s 
choosing — a  career  accountant  who  would  preserve  the  status 
quo  and  ensure  the  plans  for  IT  spending  accountability  would 
never  see  the  light  of  day.  Potential  state  CIOs  need  to  decide 
whether  they  would  flourish  in  this  highly  political  environ¬ 
ment  or  be  driven  nuts  by  it.  (For  more,  read  “From  Private  to 
Public”  at  www.cio.com/printlinks.) 

Think  you’re  up  to  it?  At  least  now,  you  can  go  into  it  with 
your  eyes  open.  I  wish  I  had.  HEI 

William  Campbell  was  Wyoming’s  first  CIO  and  "cleared  the  stubble” 
for  those  to  follow.  He  now  works  for  the  Technical  Services  Organiza¬ 
tion,  the  systems  development  arm  of  the  Defense  Finance  and 
Accounting  Service.  He  can  be  reached  at  c_wm_campbelt@msn.com. 
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Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows.. .or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability, 
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On  demand. 


Triggers  routine  analysis  to  help  prevent  component  failure 


The  human  body  can  anticipate  problems  on  demand.  As  can  IBM 
eServer.  Select  eServer  xSeries™  models  are  designed  to  sense  when 
any  one  of  six  system  components  exceeds  a  safe  threshold.  They 
respond  by  notifying  the  system  administrator,  allowing  you  to  replace 
a  part  up  to  48  hours  before  it  fails. 

eServer:  servers  for  on  demand  business. 

Can  you  see  it?  See  it  at  ibm.com/eserver/ondemiand 
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Tom  Davenport  I  The  New  Work  Order 

Retooling  the  Knowledge  Worker 


We  thought  companies  would  wantto  single  out  their 
“high  end”  knowledge  workers  for  special  treatment. 

We  were  wrong. 

ABOUT  A  YEAR  AGO,  a  couple  of  colleagues  and  I  had  the  idea  of 
studying  how  organizations  are  trying  to  improve  knowledge 
work  these  days.  My  colleagues  (Bob  Thomas  and  Sue  Cantrell) 
reminded  me  of  the  current  tendency  to  call  just  about  any¬ 
body  a  knowledge  worker.  So  as  not  to  run  afoul  of  this  trend, 
we  decided  not  to  focus  on  just  any  old  knowledge  worker, 
but  rather  on  the  “high  end”  variety.  Not  programmers,  but 
Senior  IT  Architects.  Not  paralegals,  but  Senior  Attorneys.  Not 
financial  analysts,  but  Very  Well-Paid  Investment  Bankers.  We 
reasoned  that  those  types  of  workers  are  increasingly  important 
to  organizations.  Surely  companies  across  the  land  were  singling 
out  these  people  for  special  treatment  and  bringing  organiza¬ 
tional,  technological  and  architectural  resources  to  bear  on 
making  them  more  productive  and  effective. 

Well,  we  were  wrong.  We  talked  to  more  than  30  compa¬ 
nies,  each  of  which  had  plenty  of  such  people.  Each  also  had 
some  kind  of  initiative  to  improve  the  work  lives  of  knowledge 
workers  already  under  way.  But  hardly  a  one  of  them  had  any 
focus  on  the  “high  end.”  In  fact,  some  even  objected  to  the 
idea  of  singling  out  a  group  of  knowledge  workers  for  special 
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treatment — even  though  many  of  these  organizations  certainly 
gave  a  variety  of  special  treatments  to  senior  executives.  When 
we  found  a  handful  of  companies  that  would  admit  they  had 
high-end  knowledge  workers — and  even  that  those  workers 
sometimes  got  special  privileges  and  attention — they  still 
didn’t  want  to  go  public  with  it.  A  strong  sense  of  democratic 
ideals — or  a  politically  correct  facsimile  of  them — prevented 
any  notion  that  these  high-end  knowledge  people  are  worth 
singling  out. 

We  didn’t  want  to  take  no  for  an  answer,  however — that 
would’ve  made  for  a  very  brief  research  project.  So  we  asked 
the  companies  what  they  were  doing  on  behalf  of  regular  old 
knowledge  workers.  Again,  we  were  a  bit  frustrated.  They  were 
doing  a  lot,  they  told  us,  such  as: 

■  Putting  workers  in  open  work  settings  to  facilitate  commu¬ 
nication  (and  reduce  costs,  the  cynic  might  say) 


ILLUSTRATION  BY  MICHAEL  SLOAN 


With  an  economy  of  gesture,  he  can  choreograph  a  complex 
dance  of  10-ton  trucks.  A  short  blast  of  his  whistle  and  a 
fleet  of  cab  drivers  know  exactly  what  he's  thinking. 

How  well  do  you  share? 


Imagine  being  able  to  conduct  information  through  your 
organization  with  the  same  efficiency  as  Poliziotto  Formisano. 
It  can  begin  by  simply  using  your  existing  IT  network  to 


share  images  and  documents  more  effectively. 
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Image  Communication 


Go  to  ricoh.com/share  to  see  how  Aficio5 networkable 
equipment  can  help  you  share  better. 
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■  Placing  workers  in  closed  offices  to  facilitate  heads-down 
concentration  (really  not  so  much  of  this) 

■  Installing  Web-based  conferencing  tools  to  encourage  virtual 
relationships  (read:  reduce  travel  costs) 

■  Sending  people  home  to  facilitate  work-life  balance  (trusty 
cynical  sidekick:  sublease  a  floor  of  offices  or  two) 

■  Bringing  people  back  into  the  office  to  facilitate  the  growth 
of  social  capital  and  trust... 

Well,  you  get  the  picture.  Nobody  seemed  to  have  much  evi¬ 
dence  that  what  they  were  doing  would  work,  although  they 
often  had  strong  opinions  and  financially  based  motivations. 
Most  discouraging,  few  companies  were  doing  much  to  meas¬ 


ure  the  results  of  their  initiatives,  ensuring  there  would  be  no 
findings  of  any  rigor.  All  those  experiments,  yet  no  measures,  no 
control  groups,  no  pre-  or  post-implementation  observations. 

Still,  we  learned  a  few  things  from  our  visits  and  interviews. 
First — whether  or  not  you  agree  on  the  concept  of  high-end 
workers — all  knowledge  workers  are  not  alike.  There  are  “sit¬ 
ters”  and  there  are  “movers.”  There  are  “talkers”  and  there  are 
“thinkers.”  Some  like  working  at  home,  and  some  can’t  get  a 
damn  thing  done  there.  Even  if  your  company  does  only  one 
thing — say,  corporate  law — your  senior  partners  will  spend 
much  of  the  day  communicating  with  clients  while  your  junior 
associates  will  be  hunched  over  their  keyboards. 

It’s  clear  that,  at  the  very  least,  you  need  some  segmentation 
of  your  knowledge  workforce.  Intel  used  to  treat  all  its  knowl¬ 
edge  workers  alike  in  terms  of  offices  and  technology,  but  its 
new  approach  allows  for  several  variations.  Providing  alterna¬ 
tives  to  the  standard  cubicle  made  it  possible  to  reduce  overall 
space  needs  (because  all  workers  weren’t  there  all  the  time)  and 
increase  employee  satisfaction,  retention  and  morale. 

One  easy  and  cheap  way  to  make  knowledge  workers  happy 
is  to  give  them  some  freedom  in  their  work  environments.  Prod¬ 
uct  design  company  Ideo  is  the  poster  child  for  such  an  approach. 
Employees  there  can  bring  in  just  about  anything  to  customize 
and  jazz  up  their  space,  from  surfboards  to  old  motorcycles.  It 
doesn’t  cost  Ideo  anything,  it  makes  the  workers  happy,  and  the 
company  is  one  of  the  most  creative  and  productive  design  shops 
on  the  planet. 

Similarly,  we  found  that  the  work-at-home  question  should  be 
pretty  much  left  up  to  the  individual.  It  doesn’t  seem  to  work 
very  well  to  have  people  work  at  home  for  extended  periods — 
out  of  sight,  out  of  mind  and  all  that.  So  the  company  doesn’t 
save  a  lot  by  closing  office  space. 


We  also  discovered  that  the  solutions  for  making  knowledge 
work  better  should  cut  across  organizational  functions.  If  you’re 
going  to  coordinate  a  move  to  virtual  officing  or  hoteling,  for 
example,  you  need  to  involve — at  a  minimum — real  estate  and 
IT  people  and  probably  HR  too,  since  worker-supervisor 
relationships  will  be  affected.  You  might  even  need  some  ad¬ 
vice  from  legal  to  make  sure  you  don’t  get  sued  when  Joe 
Bloggs  falls  out  of  his  chair  in  his  home  office.  British 
Petroleum’s  “Office  of  the  Future”  initiative  combines  new 
workspaces,  organizational  change  and  technology.  Executives 
have  home  audio  links  and  videoconferencing  capabilities  and, 
in  the  office,  wireless  LANs  and  team  spaces  with  “smart 
boards.”  They  all  have  PDAs  with  both 
generic  and  BP-specific  applications.  Such 
mobility-enhancing  technologies  allow  a 
much  higher  degree  of  work-life  flexibility. 

We  found  some  in-depth  examples  of 
cross-functional  coordination,  though  more 
examples  are  needed.  Cisco  Systems,  for  one,  created  a  joint 
task  force  to  design  a  new  knowledge  work  environment.  The 
group  first  explored  key  drivers  that  would  influence  its 
approach,  such  as  Cisco’s  business  strategy  and  company  goals, 
the  organization’s  culture,  and  related  initiatives,  such  as 
improving  customer  satisfaction.  Then  the  HR  representative 
described  the  future  characteristics  of  Cisco’s  workforce,  and 
IT’s  representative  provided  a  vision  for  the  technologies 
expected  to  impact  the  workplace  in  the  next  several  years. 
Over  time,  the  task  force  developed  a  vision  for  what  the  work¬ 
place  of  the  future  would  need  based  on  the  way  the  work¬ 
force  and  technology  were  evolving. 

Finally,  of  the  three  possible  improvement  domains — IT, 
physical  space  and  organizational  changes — IT  is  perhaps  the 
least  well  understood.  Most  organizations  we  talked  with  were 
trying  out  a  variety  of  tools  for  collaboration,  messaging, 
knowledge  sharing  and  productivity  (calendaring,  meeting 
arrangements,  peer-to-peer  file  sharing),  but  there  were  few 
standards  in  evidence.  Best  practices  consisted  only  of  supply¬ 
ing  lots  of  training  for  new  knowledge  work  technology.  Rarely 
was  the  IT  experimentation  accompanied  by  any  measurement. 
Without  that,  it  will  be  hard  to  make  progress.  We’ve  been 
experimenting  with  IT  support  for  knowledge  work  for  sev¬ 
eral  decades  now.  When  will  we  figure  out  what  works? 

If  you’re  making  progress  toward  enhancing  the  perform¬ 
ance  of  your  knowledge  workers  or,  God  forbid,  you’ve  figured 
it  all  out,  by  all  means  send  me  an  e-mail.  H0 


Tom  Davenport  is  director  of  the  Accenture  Institute 
for  Strategic  Change  and  professor  of  IT  and 
management  at  Babson  College.  You  can  reach  him  at 
tdavenport@babson.edu . 


It’s  clear  that,  at  the  very  least,  you  need  some 
segmentation  of  your  knowledge  workforce. 
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(ISC)2-  SECURITY  THAT  TRANSCENDS  TECHNOLOGY5" 


Even  organizations  with  identical  security  technology  can  have  information  systems  whose  trustworthiness  isn’t 
comparable.  Skilled,  motivated  and  reliable  security  architects,  designers,  implementers,  administrators  and 
managers  make  the  difference.  Experts  whose  abilities  are  coveted,  because  as  holders  of  CISSP®  and  SSCP® 
credentials,  they’re  the  trusted  constituents  of  the  non-profit  consortium  of  industry  leaders  known  as  (ISC)2*". 

(ISC)2  is  a  non-profit  consortium  of  industry  leaders  whose  charter  is  to  compile  and  maintain  the  most 
comprehensive  Common  Body  of  Knowledge  (CBK)™.  And  from  this  CBK,  develop  the  industry  standards  for 
training  and  credentialing.  Those  professionals  who  earn  CISSPs  and  SSCPs,  share  the  credibility  of  the 
internationally  recognized  Gold  Standard5"  in  information  security. 


For  more  information  on  training  or  certification,  please  call 

1.888.333.4458 

or  viskwww.isc2.org 
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Cover  Story  |  On-Demand  Computing 


IBM’s  pitch  that  on-demand  e-business  will  reduce  IT  costs 
and  make  everything  work  better  sounds  good— especially  to 
CEOs  who  don’t  understand  that  the  technologies  to  make  it 

happen  just  don’t  exist  BY  CHRISTOPHER  koch 


A  CEO  watching  a  football  game  or  a  golf  tournament  on  TV 
today  is  reminded  during  the  commercial  breaks  of  something  about 
his  IT  infrastructure.  He’s  reminded  that  it’s  a  mess. 

The  bearer  of  this  bad  news  is  IBM.  The  message  embedded  in  its 
ads  (once  you  finish  laughing  at  befuddled  businesspeople  peering 
through  “magic  business  binoculars”  or  examining  the  “universal 
technology  adapter”)  is  simple:  Your  IT  is  broken,  and  you  need 
IBM,  the  biggest  technology  company  in  the  world,  to  fix  it. 

Now  CIOs  watching  those  ads  know  that  IBM  can’t,  in  fact,  clean 
up  the  mess  they  live  with  every  day — the  costly  proliferation  of  hard¬ 
ware  and  software  that  doesn’t  work  together;  the  shrunken  staffs 
asked  to  manage  more  applications  running  on  servers  that  typically 
use  only  10  percent  to  20  percent  of  their  computing  and  storage 
capacity.  They  understand  that  IBM’s  “e-business  on-demand”  pro¬ 
poses  to  solve  those  problems  with  technologies  that  are  either  in 
their  infancy  or  so  numbingly  complex  that  they’re  years  away  from 
being  applied  by  the  typically  risk-averse  Fortune  2000  company. 


Unfortunately,  CEOs  and  CFOs  don’t  care  about  any  of  that.  All 
they  know  is  that  their  IT  costs — which  are  now  more  than 
50  percent  of  the  average  Fortune  500  company’s  capital  costs — 
are  throbbing  on  their  balance  sheets  like  big  red  sore  thumbs.  All 
they  know  is  that  they  are  facing  a  crisis  of  cost  and  complexity. 
And  every  time  they  see  those  IBM  ads,  it  brings  it  all  back. 

But  IBM’s  on-demand  vision  is  not  going  to  bail  CEOs  out  of 
their  predicament — at  least  not  yet.  More  than  a  year  ago,  Amer¬ 
ican  Express  outsourced  much  of  its  IT  group  to  IBM  in  what  was 
hailed  as  the  first  example  of  IT 
as  an  outsourced  utility.  But  it  is 
not  a  utility.  Amex’s  computing 
resources  are  not  mixed  into  a 
vast  pool  to  get  giant  economies 
of  scale,  like  electric  utilities  do. 

It  is  a  variable  pricing  arrange¬ 
ment  in  which  Amex  pays  a  float- 


Reader  ROI 

►  The  enterprise-readiness 
of  IBM’s  on-demand 
technologies 

►  How  to  manage  your 
CEO’s  expectations  for 
on-demand  e-business 
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Cover  Story  |  On-Demand  Computing 


If  It  Looks  Like  an  Outsourcing  Deal 
and  Walks  Like  an  Outsourcing  Deal... 

Then  it  probably  is  an  outsourcing  deal,  even  if  IBM 
calls  it  utility  computing 


American  Express’s  $4  billion  deal  with  IBM  Global  Services  in  February  2002  was 
hailed  by  IBM  as  an  example  of  utility  computing  coming  of  age.  But  the  Amex  deal  and 
the  other  deals  IBM  has  signed  since  announcing  its  on-demand  strategy  last  fall  are 
simply  outsourcing  deals  with  a  slight  twist;  variable  pricing  for  some  of  the  computing 
and  storage  power.  Much  of  Amex’s  variable  pricing  involves  IBM  simply  bringing  in 
extra  boxes  and  hard  drives  without  turning  them  on  or  charging  Amex  for  them  until 
the  company  needs  the  extra  power. 

That’s  not  the  same  thing  as  plugging  into  the  wall  and  having  computing  as  a  utility 
flow  down  the  wire,  says  David  Tapper,  senior  analyst  of  networked  infrastructure 
management  services  for  IDC  (a  sister  company  to  CIO's  publisher).  The  computing 
power  that  IBM  provides  Amex  doesn’t  come  from  an  enormous  pool  shared  by  many 
customers— as  electricity  would  be— and  a  utility  wouldn’t  be  assuming  management 
over  old  computing  systems  and  2,000  of  Amex’s  IT  employees,  indeed,  it’s  hard  to 
imagine  Amex  or  any  of  IBM’s  big,  security-conscious  outsourcing  customers  sharing  a 
pool  of  computing  resources  for  their  hundreds  or  thousands  of  different  apps  anytime 
soon.  “There’s  a  huge  amount  of  trust  that  needs  to  be  built  before  this  can  happen,” 
says  Tapper.  “It’s  like  saying,  You’re  going  to  feed  and  clothe  me,  right?  You’re  always 
going  to  be  there,  right?” 

Today,  utility  computing  is  not  a  new  technology.  It’s  a  pricing  scheme,  and  not 
necessarily  a  bad  one.  Just  call  it  what  it  is.  -C.K. 


ing  rate  for  computing  power  from  a  bunch 
of  existing  machines  that  are  fully  dedi¬ 
cated  to  Amex.  That’s  outsourcing  with  a 
pricing  twist. 

“IBM  does  support  and  the  data  center;” 
says  Amex  Vice  President  and  CIO  Glen 
Salow.  “We  do  everything  else — like  appli¬ 
cation  development  and  architecture.” 
Stripped  of  its  on-demand  hype,  what  you 
get  with  IBM  is  outsourcing,  and  outsourc¬ 
ing  is  what  it  has  always  been:  a  risky  strat¬ 
egy  that  according  to  numerous  surveys  fails 
to  achieve  either  better  service  or  reduced 
costs  50  percent  of  the  time. 

That’s  a  coin  flip. 

But  that  heads-or-tails  gamble  doesn’t 
stop  CEOs  from  wanting  IT  off  their  books 
right  now,  and  IBM’s  TV  commercials  tell 
them  they  can  do  it  right  now.  Today. 

However,  if  CEOs  buy  on-demand  the 
same  way  they  bought  ERP  and  CRM — 
over  19th  hole  cocktails  with  consultants — 
the  consequences  could  make  the  bloated 
expectations  and  cost  overruns  of  the  ERP 
and  CRM  era  look  like  best  practices  by 
comparison.  At  least  CIOs  could  unwrap 
ERP  and  CRM  software  and  put  it  on 
servers.  On-demand  exists  only  in  theory. 
And  while  CIOs  during  the  years  have  man¬ 
aged  plenty  of  difficult  technology  projects, 
implementing  theories  has  never  before  been 
on  their  to-do  lists. 

Why  Your  IT  Is  a  Mess 

NO  ONE  IS  better  at  convey¬ 
ing  the  crisis  in  IT  today 
than  IBM.  The  brilliance  of 
its  advertising  campaign 
(and  the  way  it  avoids  cul¬ 
pability  for  the  problems  it 
helped  create)  lies  in  the 
fact  that  it  has  beaten  its  competitors  to 
market  with  a  startlingly  new  strategy  for 
selling  technology:  the  truth. 

And  the  truth  is,  IT  has  not  delivered  on 
its  promises  to  the  enterprise. 

For  all  the  sales  talk  about  agility  and  on- 
demand,  no  hardware  vendor  today  makes 
a  server  that  can  manage  a  server  from  a 
competing  vendor  as  well  as  its  own,  if  at 


all.  And  no  software  vendor  writes  its  appli¬ 
cations  to  share  that  server  with  anyone 
else’s  apps.  Any  claim  that  on-demand  com¬ 
puting  can  be  delivered  today  depends  on 
the  fiction  that  you  can  build  your  infra¬ 
structure  using  a  single  type  of  application 
and  use  hardware  with  a  single  operating 
system  from  a  single  vendor.  Every  CIO 
knows  that’s  nonsense. 

What  CIOs  need  today  is  the  ability  to 
share  computing  resources  across  operating 
systems  and  across  hardware  vendors 
because  that’s  the  reality  they  live  with:  a 
heterogenous  infrastructure  comprising 
everything  from  legacy  mainframes  to  15- 
year-old  PCs  to  cutting-edge  blade  servers. 
And  CIOs  need  applications  that  can  be 
shared  across  this  complex  mess  without 
falling  apart  or  bringing  down  other  appli¬ 
cations  in  a  massive  crash.  This  technology 


exists  (much  like  the  technology  to  make  a 
nonpolluting  car),  but  there  has  been  no 
advantage  for  vendors  to  offer  heterogenous 
infrastructure  and  application  management 
because  doing  so  would  hurt  the  sales  of 
their  own  stuff. 

But  now  the  stuff  is  not  selling.  Sales  of 
high-end  servers  were  down  30  percent  in 
2001,  according  to  EDC  (a  sister  company  to 
CIO’s  publisher),  and  rose  only  1.6  percent 
in  2002.  And  in  2001,  ERP  vendors’  rev¬ 
enue  from  existing  customers  for  the  first 
time  outstripped  those  from  new  ones. 

So  by  acknowledging,  albeit  humorously, 
the  IT  nightmare  that  their  customers  face, 
and  by  articulating  the  industry’s  most  ambi¬ 
tious  vision  for  fixing  it,  IBM  is  attempting 
to  make  lemonade  out  of  today’s  lemons. 
And  in  so  doing,  it  is  threatening  to  leave 
its  competitors  in  the  dust. 
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How  IBM  Plans  to  Conquer 
the  IT  World 

LTHOUGH  IT  SELLS  fewer 
units  than  smaller  compet¬ 
itors  in  most  of  its  mar¬ 
kets,  not  to  mention  the 
fact  that  its  prices  are 
almost  always  higher 
while  its  technology  rarely 
leads  the  pack,  no  other  technology  com¬ 
pany  can  assemble  as  comprehensive  a  set 
of  products  as  Big  Blue:  services,  software, 
hardware  and  financing.  Everyone  else  has  a 
hole  in  his  bucket.  EDS  ($11.7  billion  in  out¬ 
sourcing  revenue  in  2002  versus  $16  billion 
for  IBM)  lacks  in-house  hardware  and  soft¬ 
ware  divisions,  as  does  IBM’s  main  consult¬ 
ing  rival,  Accenture.  Microsoft  focuses  solely 
on  software.  Only  Hewlett-Packard  comes 
close  to  having  IBM’s  breadth,  but  HP’s  serv¬ 
ices  and  software  divisions  are  much  smaller. 

Of  course,  all  of  IBM’s  major  competi¬ 
tors  have  partnership  agreements  with 
smaller  vendors  to  fill  out  their  offerings, 
but  for  the  risk-averse  CEO,  IBM  is  the  clos¬ 
est  thing  to  a  one-stop  shop  in  IT.  And  if 
you  have  a  mess,  you  want  a  janitor  who 
knows  how  to  clean  up  every  bit  of  it. 

IBM’s  goal  is  to  leverage  its  breadth  in 
order  to  stop  selling  IT  hardware  and  soft¬ 
ware  and  start  selling  business  capabilities 
enabled  by  technology. 

This  vision  is  not  new,  nor  are  any  of  the 
technologies  behind  it.  What’s  new  is  the 
effort  to  make  it  consistent  across  the  vast 
global  empire  of  IBM.  All  IBM  sales  repre¬ 
sentatives — from  its  server  division  to  soft¬ 
ware  to  outsourcing — are  supposed  to  sell 
on-demand  along  with  their  own  products. 
On-demand  is  supposed  to  drive  the  devel¬ 
opment  of  all  of  IBM’s  software  and  hard¬ 
ware  with  the  goal  of  making  them  capable 
of  mixing  with  and  managing  applications 
from  other  vendors.  The  coordination 
challenge  is  huge.  For  example,  employees  in 
IBM’s  grid  computing  unit  spend  50  percent 
to  70  percent  of  their  time  doing  marketing 
and  education  inside  IBM  itself,  according  to 
Ian  Baird,  vice  president  of  marketing  and 
sales  operations  at  Platform  Computing, 


which  is  one  of  IBM’s  primary  partner  com¬ 
panies  in  grid  computing. 

The  effort  to  develop  the  technologies  nec¬ 
essary  to  fill  out  on-demand  is  no  less  ambi¬ 
tious.  In  2000,  IBM  created  a  series  of 
internal  divisions,  now  called  Emerging  Busi¬ 
nesses  Opportunities  (EBOs),  that  focus, 
among  other  things,  on  developing  new  tech¬ 
nologies  for  the  different  pieces  of  on- 
demand,  including  utility  (essentially 
pay-by-the-drink  IT),  autonomic  (software 
that  automatically  diagnoses  and  fixes  com¬ 
puter  problems),  grid  (pooling  computers  to 
form  a  single  virtual  entity),  business  process 
integration  and  Linux  (IBM’s  answer  to  pro¬ 
viding  a  single  OS  that  can  run  on  any  type 
of  computer,  from  a  mainframe  to  a  PC). 

IBM  says  it  will  spend  much  of  its  $5  bil¬ 
lion  R&D  budget  on  the  EBO  technologies 
in  2003.  The  heads  of  those  EBOs  report 
to  the  different  business  units  that  sponsor 
their  efforts  (autonomic  is  funded  by  IBM’s 
software  division,  for  example)  and  to 


address  if  it  hopes  to  fill  out  its  on-demand 
offerings.  Meanwhile,  IBM  says  it  will  spend 
$4  billion  this  year  to  acquire  vendors  to 
complete  its  on-demand  portfolio. 

To  some  critics  and  competitors,  IBM  is 
luring  customers  into  on-demand — and 
away  from  competitors — before  the  capa¬ 
bilities  are  ready,  trusting  its  ability  to  fill  in 
the  gaps  later.  “They  talk  about  freezing  the 
market  and  adding  new  capabilities  over 
time,”  says  Joe  Hogan,  vice  president  of 
managed  services  for  Hewlett-Packard.  “We 
prefer  to  wait  to  announce  things  until  they 
are  available.”  (Soon  after  this  interview,  HP 
announced  its  own  version  of  on-demand, 
called  Adaptive  Enterprise,  that  has  as 
many — or  more — holes  to  fill.) 

The  general  manager  of  IBM  e-business 
on-demand,  Irving  Wladawsky-Berger, 
insists  that  IBM  clearly  explains  the  current 
state  of  on-demand  to  its  customers,  telling 
them,  “Here  is  the  vision;  we’ll  get  there 
incrementally.”  He  acknowledges  that 


“The  key  is  flexibility.  Any  good  business 
has  its  ups  and  downs.  Variable-priced 
computing  lets  us  flex  up  and  down  a 
little  more  with  the  business.” 

-Glen  Sa low,  VP  and  CIO,  American  Express 


IBM’s  central  strategy  organization.  The 
emphasis  is  on  progress — not  profits — but 
the  mission,  according  to  Thomas  Bittman, 
research  vice  president  of  server  strategies 
for  Gartner,  is  for  each  new  EBO  to  bring 
something  tangible  to  the  market  within 
two  to  three  years. 

These  efforts  have  already  borne  fruit. 
IBM’s  Websphere  product  is  the  top-selling 
application  integration  software,  according 
to  Gartner,  and  IBM’s  integration  of  Linux 
into  many  of  its  hardware  and  software  plat¬ 
forms  is  a  direct  result  of  the  Linux  EBO’s 
efforts.  If  there’s  a  weakness  here,  according 
to  Bittman,  it’s  that  the  EBO  system  favors 
ideas  that  spring  from  within  IBM  over  those 
from  outsiders — a  weakness  it  will  have  to 


on-demand  is  a  long-term  vision  but  says 
IBM  is  better  able  to  solve  the  problems 
than  anyone  else.  “The  question  is,”  says 
Wladawsky-Berger,  “Do  you  start  from  zero 
or  do  you  start  from  a  strong  base?  We  think 
we’re  starting  from  a  very  strong  base.” 

Deconstructing  On-Demand: 
What’s  Real,  What  Isn’t 

IOs  who’d  like  to  keep 
their  jobs  during  the  next 
two  years  must  add  yet 
another  task  to  their  al¬ 
ready  overburdened  sched¬ 
ules:  managing  their  CEOs’ 
expectations  for  IBM’s  on- 
demand  package,  and  HP’s  Adaptive  Enter- 
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prise  and  Sun’s  N-l  strategy,  among  others. 
In  this  economy,  CIOs  who  jump  the  gun 
on  any  of  those  technologies — or  who  let 
their  CEOs  and  CFOs  fire  it  for  them — will 
pay  dearly.  The  technologies  for  making 
what  you  have  more  efficient  are  untested, 
and  most  require  consulting  help.  In  today’s 
economic  environment,  CIOs  need  to  make 
sure  that  any  experiments  they  undertake 
have  clear  business  payback,  and  that’s  tough 


to  do  when  the  technologies  are  so  imma¬ 
ture.  Here’s  some  of  what  IBM’s  offering. 

Variable  pricing.  The  only  piece  of  on- 
demand  that’s  real  today  and  might  not  cost 
more  in  the  short  term  is  variable-priced 
computing.  The  concept  is  simple.  Instead 
of  buying  a  new  server  that  you  may  not 
use  very  much,  you  pay  only  for  the  pro¬ 
cessing  power  you  do  use.  Software  moni¬ 
tors  the  server  and  turns  on  more  CPUs 
during  peak  periods  and  turns  them  off  dur¬ 
ing  slow  ones.  Vendors  charge  a  monthly 
fee  to  keep  the  box  in  your  data  center  and 
then  bill  you  based  on  the  average  amount 
of  processing  power  used  each  month.  This 
is  not  new  technology;  it  is,  however,  a  new 


pricing  scheme.  Call  it  leasing  on  steroids. 

But  it’s  not  always  a  bargain.  If,  for  exam¬ 
ple,  you  use  most  of  the  capacity  of  the  new 
server  every  month,  over  time  the  fees  can 
add  up  to  more  than  what  the  purchase 
price  of  the  server  would  have  been.  CIOs 
need  a  clause  in  the  contract  that  caps  the 
fees  at  the  original  purchase  price  of  the 
server.  And,  of  course,  the  billing  schemes, 
like  the  technologies  behind  them,  work 


only  with  one  vendor.  IBM  cannot  bill  you 
for  your  HP  server  (unless  you  outsource  it 
to  IBM).  Thus,  even  the  variable  pricing 
model  falls  apart  when  you  consider  trying 
to  manage  the  entire  infrastructure  that  way. 
But  it’s  a  start. 

A  piece  of  American  Express’s  $4  billion 
outsourcing  deal  with  IBM  Global  Services 
(see  “If  It  Looks  Like  an  Outsourcing 
Deal...,”  Page  50)  is  based  on  IBM  provid¬ 
ing  computing  in  increments  of  CPU  power 
and  storage  capacity  rather  than  making 
Amex  pay  for  new  boxes  and  hard  drives. 
“The  key  is  flexibility,”  says  Amex’s  Salow. 
“Any  good  business  has  its  ups  and  downs. 
[Variable-priced  computing]  lets  us  flex  up 


and  down  a  little  more  with  the  business.” 

Grid  computing.  Variable  pricing  is  help¬ 
ing  drive  the  development  of  grid  comput¬ 
ing,  which  for  years  seemed  to  be  an  arcane 
technology  with  little  value  outside  of  super¬ 
computing.  With  business  relevance  at  hand, 
IBM  is  rushing  ahead  with  its  grid  research, 
but  it  is  not  yet  ready  for  the  typical  corpo¬ 
rate  IT  infrastructure. 

According  to  Gartner’s  Bittman,  useful 
grids  today  require  that  the  computing 
devices  (for  example,  PCs)  be  alike.  They 
are  also  limited  to  applications  that  are 
designed  for  heavy  parallel  computing 
(where  the  processing  work  can  be  sliced  up 
into  many  bits  and  then  reaggregated).  Most 
general  business  applications,  like  ERP  and 
CRM,  for  example,  do  not  work  that  way. 

Furthermore,  CEOs  don’t  want  grids. 
They  want  cheap  pools  of  computing  power 
served  up  to  them  in  the  same  way  that  elec¬ 
tricity  companies  serve  up  power.  But  that  is 
a  very  different,  and  much  more  complex, 
proposition. 

“The  concept  of  a  plug-and-pay  electric 
utility  model  for  computing  is  appealing  to 
anyone  who’s  dealing  with  the  kind  of  cost 
pressures  we’re  facing  today,”  says  David 
Dibble,  executive  vice  president  of  Schwab 
Technology  Services  for  Charles  Schwab. 
“But  you  peel  back  the  onion  even  one 
layer  and  the  analogy  falls  apart.”  Right 
now,  building  an  infrastructure  on  the  scale, 
security  and  fault-tolerance  levels  necessary 
for  outsourcing  companies  to  become  the 
electric  utilities  of  computing  is  impossible, 
Dibble  says.  “The  PhDs  who  will  do  it  are 
in  grade  school  today,  I  believe.” 

A  much  more  likely  near-term  scenario 
is  that  CIOs  will  build  small  grids  inside 
their  companies  to  save  money  and 
resources.  Indeed,  Dibble  has  successfully 
piloted  a  small  grid  computing  environment 
inside  Schwab  with  IBM,  as  have  other 
financial  services  companies,  like  J.P.  Mor¬ 
gan  Chase  (see  “How  Practical  Is  Grid 
Computing?”  at  www.cio.com/printlinks). 
But  grid  is  by  no  means  a  reliable  route  to 
reducing  complexity  and  cost  in  most  cor¬ 
porate  infrastructures  today. 


HP  Versus  IBM:  War  of  Words 


“They  talk  about  freezing  the  market  •  • 
and  adding  new  capabilities  overtime. 

We  prefer  to  wait  to  announce  things 

until  they  are  available.”  h; 

-Joe  Hogan,  VP  of  managed  services  at  Hewlett-Packard,  days  before  HP 
announced  Adaptive  Enterprise,  its  own  version  of  on-demand 
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“We  tell  our  customers,  Here  is  the 
vision;  we’ll  get  there  incrementally. 

The  question  is,  Do  you  start  from  zero 
or  do  you  start  from  a  strong  base?  We 
think  we’re  starting  from  a  very  strong  base.” 

-Irving  Wladawsky-Berger,  IBM’s  general  manager  of  e-business  on-demand 
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Users  are  frustrated... 


byCysive 


You’ve  tried  to  integrate  your  systems,  but 
from  your  user’s  point  of  view,  it’s  still  a  mess. 
They  can’t  find  what  they  need  to  find,  or  do 
what  they  need  to  do.  The  worst  part  is,  it’s 
costing  you  a  fortune  to  frustrate  them. 

Take  a  look  at  Cysive  Cymbio®.  It’s  all  about 
making  user  interaction  work. 


Download  the  Cysive®  User  Interaction 
Management  White  Paper. 
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Open  source.  IBM’s  on-demand  vision 
depends  on  software  to  connect  and  manage 
the  messy  infrastructures  of  corporate  com¬ 
puting,  but  it  has  rarely  led  in  software 
development.  Instead,  it  has  relied  on  acqui¬ 
sitions  and  open  standards  to  sell  the  soft¬ 
ware  portion  of  on-demand  computing.  In 
fact,  IBM  is  killing  two  birds  with  one  stone 
by  embracing  open  standards  like  Java  and 
the  open-source  Linux  operating  system. 
Open  source  gives  IBM  a  weapon  against 
its  only  real  competitor,  Microsoft,  and  it 


makes  IBM  look  good  to  the  IT  community. 

IBM  makes  nothing  on  Linux  itself,  but  it 
sells  the  hardware  and  services  necessary  to 
get  Linux  up  and  running.  Similarly,  IBM  is 
playing  the  dominant  role  in  funding  and 
helping  write  standards  like  the  Open  Grid 
Services  Architecture,  which  is  an  open- 
source  architecture  for  building  grid  com¬ 
puting  applications.  Open  standards  for  grid 
computing  help  IBM  sell  services,  hardware 
and  grid  consulting  engagements,  three  areas 
where  Microsoft  does  not  compete. 


Yet  IBM’s  approach  to  standards  contains 
a  risk  for  CIOs.  If  IBM’s  influence  becomes 
too  large  in  these  standards  organizations, 
other  vendors  may  not  cooperate.  Further¬ 
more,  standards  organizations  are  famously 
slow  moving.  Patience  will  be  a  virtue  for 
CIOs  who  want  fully  realized  products  that 
adhere  to  open  standards. 

And  IBM  is  not  always  the  white  knight  it 
portrays  itself  as.  For  example,  when  the 
open-source  world  treads  too  closely  to 
IBM’s  turf,  IBM’s  goodwill  quickly  ebbs. 
When  asked  about  open-source  al¬ 
ternatives  to  IBM’s  DB2  database  or 
its  Websphere  application  server,  for 
example,  IBM  executives  bristle. 
“We’re  not  working  on  [open  source] 
for  philanthropic  reasons;  we’re 
going  to  make  money,”  snaps  Dan 
Frye,  director  of  IBM’s  Linux  Tech¬ 
nology  Center;  who  leads  250  IBM 
developers  assigned  to  help  build 
out  the  Linux  operating  system. 

Linux  is  not  on-demand’s  oper¬ 
ating  system,  however.  Websphere 
is.  IBM’s  application  server  is  based 
on  the  popular  J2EE  standard  but 
contains  enough  proprietary  hooks 
to  make  critics  wonder  whether 
IBM  is  simply  moving  the  old  Win¬ 
dows  versus  OS/2  battle  higher  up 
the  corporate  infrastructure  and  lin¬ 
ing  up  against  Microsoft’s  new 
application  architecture,  .Net.  Web¬ 
sphere  is  IBM’s  core  technology  for 
making  the  highest  level  promise  of 
on-demand  come  true:  business 
process  integration.  With  Web¬ 
sphere,  IBM  wants  to  convince 
application  developers  to  stop  writ¬ 
ing  their  applications  at  the  operat¬ 
ing  system  level  (Windows,  Unix, 
Macintosh)  and  write  them  to  Web¬ 
sphere  and  Java  instead  so  that  they 
can  work  on  any  operating  system. 
But  Websphere  relies  on  Web  serv¬ 
ices,  a  complex  and  incomplete  set 
of  standards,  and  Java,  which, 
while  powerful,  can  be  difficult  for 
programmers  to  work  with. 


How  to  Manage  Your  CEO’s  Expectations 

What  to  say  when  he  asks,  Where  are  we  on  on-demand? 


1.  Separate  the  hype  from  the  reality.  “It’s  an  interesting  theory,  Bill,  but  right  now 
that's  all  it  is.  You  see,  on  this  grid  thing,  even  if  it  were  possible  (which  it  isn’t),  we  don’t  want 
our  applications  sloshing  around  in  a  big  poo!  with  our  competitors'  applications.  And 
when  a  computer  heals  itself,  let  me  know  so  I  can  call  the  National  Enquirer.  Short  answer: 
On-demand’s  not  ready  for  prime  time,  Bill,  but  I’ll  keep  an  eye  on  it,  and  I’ll  keep  you 
informed.” 

2.  Remind  him  about  the  nature  of  outsourcing.  “See,  Bill,  right  now  on-demand’s  just 
an  outsourcing  deal,  and  outsourcing  is  a  50-50  proposition.  Believe  me,  it’s  not  like  flipping  a 
switch— bingo—you  get  computing  power.  But  I’ll  keep  an  eye  on  it  and  keep  you  informed.” 

3.  Hop  on  variable  pricing.  "This  is  something  we’re  looking  into  right  now,  Bill.  We’re 
not  going  to  buy  any  more  servers.  We’ve  got  enough  servers.  Now  we’re  going  to  start  buying 
by  the  CPU  and  the  megabyte.  We  can  do  it  only  with  one  vendor  at  a  time  right  now,  but 
we’re  going  to  look  into  it  with  each  of  our  major  vendors  to  see  if  we  can  cut  10  percent  to  25 
percent  of  our  hardware  costs.  We  don’t  want  to  become  completely  dependent  on  one  vendor 
though,  because  then  they’ve  got  us  you  know  where.  I’ll  keep  you  informed.” 

4.  Tell  him  you’re  joining  a  standards  organization.  “We  re  going  to  be  part  of  the 
solution  on  this  one,  Bill.  I’ve  assigned  several  of  my  guys  to  this  group  that's  working  on 
creating  standards  for  Web  services.  Remember  when  we  discussed  Web  services?  Well, 
that’s  what’s  going  to  make  this  whole  thing  work— someday— and  we’re  making  sure  that 
when  the  standards  do  emerge,  they’ll  actually  work  with  what  we've  already  got.  But  that’s 
long  term,  Bill.  Real  long  term.  I’ll  keep  you  informed.” 

5.  Ask  for  his  help.  “Actually,  Bill,  you  can  help  me  here.  The  next  time  a  vendor  tries  to 
sell  you  anything  new,  blow  your  top.  Tell  them  how  you  already  have  300  servers  from  six 
different  vendors.  Make  them  tell  you  how  they’re  going  to  make  their  server  work  with  every¬ 
one  else’s  server  without  making  us  pay  more.  They  owe  us— they  owe  you— an  explanation. 

And  how  are  the  kids?”  -C.K. 
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Web  Developers  are  a  phone  call  away. 
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IBM’s  Big  Gamble... 
and  Yours 

ITH  E-BUSINESS  on- 
demand,  EBM  is  gam¬ 
bling  with  its  most 
valuable  asset:  the 
trust  of  the  market. 

During  the  past  30 
years,  IBM  has  built 
a  positive  image  for  its  brand  equaled  only 
by  such  marketing  masters  as  Coca-Cola 
and  Nike.  In  a  2002  survey  of  240  compa¬ 
nies  by  IDC,  twice  as  many  respondents 
identified  IBM’s  Global  Services  outsourc¬ 
ing  group  as  “best-in-class”  as  they  did 
IBM’s  nearest  competitor,  EDS.  “CEOs  and 
CFOs  are  all  about  reducing  risk,”  says  Rob 
Schafer,  program  director  for  research  com¬ 
pany  Meta  Group.  “In  the  minds  of  CEOs, 
IBM  reduces  risk.” 

Tom  Kegley,  vice  president  of  IT  for 
North  America  for  Swiss  pharmaceutical 
and  health-care  giant  Roche  Group,  wit¬ 


nessed  the  power  of  IBM’s  brand  firsthand. 
When  Roche’s  diagnostics  group  was  con¬ 
sidering  outsourcing  Web  hosting  for  about 
100  websites  in  late  2001,  the  finalists  were 
IBM  and  Genuity.  Genuity’s  bid  was  lower 
than  IBM’s,  and  its  service  received  high 
marks  from  big-name  clients.  But  Genuity 
was  having  financial  problems. 

cio.com  Big  Blue  says  it's  being  clear 
about  the  current  state  of  on-demand  to  its 
customers.  What  do  you  think?  Is  IBM  going 
to  get  you  off  the  hook?  Give  us  your  2  cents 
in  ADD  A  COMMENT  on  the  online  version 
of  this  article.  Find  it  at  www.cio.com/daily. 


Meanwhile,  IBM  had  been  building  a  rela¬ 
tionship  with  Roche’s  top  executives  since 
2000,  when  it  hosted  them  at  IBM’s  Armonk, 
N.Y.,  headquarters  and  did  a  mea  culpa  pres¬ 
entation  about  Big  Blue’s  fall  from  grace  and 
its  rise  under  then-CEO  Lou  Gerstner.  The 
meeting  created  a  bond,  says  Kegley. 

So  when  Roche  executives  heard  about 
Genuity’s  financial  problems,  the  handwrit¬ 
ing  was  already  on  the  wall — even  though 
Roche  had  had  some  service  problems  with 
IBM  in  other  deals,  says  Kegley.  “The  direc¬ 
tor  of  marketing  said,  ‘Do  we  want  the  devil 
we  know  or  the  one  we  don’t  know?’” 
recalls  Kegley.  EBM  got  the  job  last  year,  and 
so  far  the  agreement  has  worked  well,  Keg¬ 
ley  says.  Genuity,  meanwhile,  declared  bank¬ 
ruptcy'  last  year  and  was  acquired  by  Level 
3  Communications  in  a  fire  sale. 

The  Roche  story  is  a  classic  example  of 
the  “solution  sell,”  perfected  by  the  father  of 
IBM,  Thomas  J.  Watson  Sr.  In  1914,  Wat¬ 
son  began  hiring  boatloads  of  salesmen  to 


build  relationships  with  customers  and  learn 
their  business  problems  before  trying  to  sell 
them  the  company’s  machines.  Today,  IBM’s 
dramatically  successful  services  arm,  IBM 
Global  Services,  built  by  former  McKinsey 
consultant  Gerstner  in  the  ’90s,  is  trying  to 
do  the  same  thing  with  on-demand. 

But  leading  with  consulting  and  out¬ 
sourcing  can  get  IBM  in  trouble  with  its 
customers — as  it  has  in  the  past.  Consul¬ 
tants  from  IBM  Global  Services  (as  well  as 
all  the  other  major  IT  consultancies)  over¬ 
sold  their  customers  on  the  capabilities  of 
ERP,  CRM  and  supply  chain  software,  and 
the  e-business  craze  brought  another  wave 


of  ill-considered  enthusiasm.  If  IBM  over¬ 
sells  on-demand  and  overpromises  on  the 
implementation  time  line,  it  could  damage 
that  close  and,  in  comparison  with  most 
other  big  vendors,  trusting  relationship  it 
has  with  its  corporate  customers.  Worse, 
with  outsourcing  such  a  big  part  of  IBM’s 
business  now,  there  is  a  danger  that  on- 
demand  will  devolve  into  a  euphemism  for 
simply  getting  rid  of  your  IT  by  turning  it 
over  to  IBM. 

IBM’s  Wladawsky-Berger  says  the  goal  of 
on-demand  is  to  make  IT  more  efficient  and 
more  integrated  without  forcing  CIOs  to 
buy  new  systems — no  matter  whether  IBM 
runs  it.  “Clearly,  if  on-demand  required  you 
to  redo  everything,”  he  says,  “that  would 
be  the  dumbest  strategy  anybody  ever  could 
have  come  up  with.” 

But  it’s  not  yet  clear  how  IBM  will  accom¬ 
plish  an  on-demand  future  that  isn’t  more 
expensive  than  the  past. 

“IBM  has  a  vast  array  of  enabling  tech¬ 
nologies,  but  they  have  a  lot  of 
work  to  do  from  a  product 
architecture  and  vision  and 
marketing  perspective  to  inte¬ 
grate  it  into  a  single  on- 
demand  message,”  says 
David  Cearley,  senior  vice 
president  of  product  man¬ 
agement  at  Meta  Group.  “If 
IBM  can  better  coordinate 
the  pieces  and  the  vision, 
then  it  has  a  very  powerful 
message  and  will  be  a  leader  in  this  next 
generation  of  computing.  If  it  doesn’t  evolve 
its  message,  and  it  continues  to  deliver  frag¬ 
mented  products,  and  on-demand  becomes 
nothing  more  than  marketing,  then  its 
breadth  will  hurt  it.” 

What’s  clear  is  that  right  now  e-business 
on-demand  is  not  much  more  than  a  slogan. 
CIOs  who  think  it’s  something  more  are 
looking  through  those  magic  business  binoc¬ 
ulars,  darkly.  E3E] 


Executive  Editor  Christopher  Koch  writes  about 
enterprise  computing.  Please  share  your  thoughts 
with  him  at  ckoch@cio.com. 


“The  c  d  ice|  :  of  a  |  jg-and-pay  ele  :tric  uti  ity 
mod  si  for  computing  is  app  aaling  t )  anyone 
who’s  dealing  with  the  kind  of  cost  pressures 
we’re  facing  today.  But  you  peel  back  the  onion 
even  one  layer  and  the  analogy  falls  apart.” 

-David  Dibble,  executive  VP  of  Schwab  Technology  Services 
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Nextel  Wireless  Business  Solutions  give  you  a  unique  advantage:  You’ll  know  of  what  you  speak. 

In  the  field,  guesswork  doesn't  cut  it.  Nextel  can  provide  you  with  the  means  to  take  your  field  force  completely  wireless  and 
operate  in  real-time.  Applications  and  technology  that  will  improve  your  service  dispatching.  Like  automated  work  orders  that 
will  enhance  the  quality  of  your  service.  And  DIRECT  CONNECTS  the  digital  walkie-talkie  that  works  nationwide.  Making  your 
business  more  efficient,  reliable  and  profitable.  Call  877  NEXTELC  or  tog  on  to  Nextel.com  for  industry-specific  wireless  solutions. 


The  BlackBerry  6510" 
from  Nextel.  The  only  fully  loaded 
BlackBerry *  with  a  cell  phone  and  digital 
walkie-talkie  that  works  nationwide. 

The  ultimate  wireless  business  tool. 
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©2003  Nextel  Communications,  Inc.  All  rights  reserved.  Nextel,  the  Nextel  logo,  Direct  Connect  and  the  Driver  Safety  logo  are  trademarks,  service  marks,  and/or 
registered  marks  of  Nextel  Communications,  Inc.  Direct  Connect  coverage  may  vary  from  location  to  location.  Check  for  availability  in  your  local  calling  area.  < 
MOTOROLA  and  the  Stylized  M  Logo  are  registered  in  the  U.S.  Patent  &  Trademark  Office.  All  other  product  or  service  names  are  the  property  of  their  respective  owners. 


Products.  People. 
Problems  solved. 

From  servers  to  service,  Dell  has  the  solution. 


Dell  |  Small  and  Medium  Business 

Your  business  has  unique  needs.  It  deserves  a  unique  solution.  From  PowerEdge'*'  servers  featuring 
Intel®  Xeon™  processors  to  PowerVault™  Storage  and  PowerConnecf  Network  Switches,  we  offer  tailored 
solutions  to  meet  your  business  needs.  And  of  course  it's  Dell,  so  you  know  you're  getting  the  latest  technology. 
But  that's  only  half  of  the  story.  Dell  offers  consulting  services  that  range  from  deployment  and  installation  to 
training  and  certification.  All  from  one  source.  And  everything  is  backed  by  thousands  of  service  and  support 
people  at  your  beck  and  call,  on-site,  online  and  on  the  phone.  Suddenly  your  IT  infrastructure  doesn't  seem 
so  daunting.  Let  Dell's  one-of-a-kind  solutions  put  you  on  the  path  to  one-of-a-kind  success. 
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Dell  Rated  #1  in  Intel-Based  Server  Satisfaction 

20  Out  of  21  Consecutive  Quarters 
Technology  Business  Research 
Corporate  IT  Buying  Behavior  and  Customer  Satisfaction  Study 

Fourth  Quarter  2002 
-April  2003 


Call:  M-F  7a-8p  Sat  8a-5p,  CT 

Pricing,  specifications,  availability  and  terms  of  offer  may  change  without  notice.  Taxes  and  shipping  charges  extra,  and  vary  and  not  subject  to  discounts.  U.S.  Dell  Small  Business  new  purchases  only.  Dell  cannot  be  held  responsible  for  errors  in  typography  or  photography. 
'This  device  has  not  been  approved  by  the  Federal  Communications  Commission  for  use  in  a  residential  environment.  This  device  is  not,  and  may  not  be,  offered  for  sale  or  lease,  or  sold  or  leased  for  use  in  a  residential  environment  until  the  approval  of  the  FCC  has  been  obtained. 

Service  may  be  provided  by  third  party.  Technician  will  be  dispatched  following  phone-based  troubleshooting.  Subject  to  parts  availability,  geographical  restrictions  and  terms  of  service  contract.  Service  timing  dependent  upon  time  of  day  call  placed  to  Dell. 
U.S.  only.  ’'Monthly  payment  based  on  48-month  60  Days  Same-As-Cash-QuickLoan  with  46  payments  at  9.99%  interest  rate.  Your  interest  rate  and  monthly  payment  may  be  same  or  higher,  depending  on  your  creditworthiness.  If  you  do  not  pay  the  balance 
within  60  days  of  the  QuickLoan  Commencement  Date  (which  is  five  days  after  product  ships),  interest  will  accrue  during  those  first  60  days  and  a  documentation  fee  may  apply.  OFFER  VARIES  BY  CREDITWORTFTINESS  OF  CUSTOMER  AS  DETERMINED  BY 
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Remote  Office  &  File/Print  Sharing  Web  Server  Application  Server 


PowerEdge™  600SC  Server 

Entry-Level  Performance  Server 

•  Intel®  Pentium®  4  Processor  at  2.40GHz 

•  128MB  266MHz  ECC  DDR  SDRAM 

•  Upgradeable  to  4GB  of  Memory 

•  40GB  (7200  RPM)  IDE  Hard  Drive  (Up  to  120GB  HD  Avail) 

•  Upgradeable  to  480GB  of  Internal  Hard  Drive  Storage 

•  Embedded  Intel®  PRO  Gigabit50  NIC 

•  Five  PCI  Expandability  Slots  (4-64/33MHz,  1-32/33MHz) 

•  1-Yr  24x7  Dedicated  Server  Phone  Tech  Support 

•  1-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

VI  as  low  as  $14/mo.,  (46  pmts)0) 

E-VALUE  Code:  1 7632- S20604g 

For  a  complete  server  solution  we  recommend  these  additions: 

•  Custom-Install  Site  Survey,  add  $199 

•  PV100T-TR5  Internal  Tape  Back-Up,  add  $199 

•  PowerConnect  2124* *  24+1GB  Ethernet  Switch,  add  $299 


PowerEdge™  1650  Server 

Highly  Available  1U  Rack-Optimized  Server 

•  Intel®  Pentium®  III  Processor  at  1 ,13GHz 

•  Dual  Processor  Capable  (Up  to  1 ,40GHz) 

•  256MB  133MHz  ECC  SDRAM  (Up  to  4GB) 

•  20GB  (7200  RPM)  IDE  Hard  Drive  (Up  to  120GB  HD  Avail) 

•  Upgradeable  to  360GB  of  Internal  Hard  Drive  Storage 

•  Dual  Embedded  Intel®  PRO  Gigabit50  NICs 

•  Two  PCI  Expandability  Slots  (2-64/66MHz) 

•  Hot-Swap  Redundant  Cooling  Fans 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  low  as  $30/mo.,  (46  pmts30) 

E-VALUE  Code:  17632-S20610g 

For  a  complete  server  solution  we  recommend  these  additions: 

•  Hot-Swap  Redundant  Power,  add  $299 

•  PowerConnect  3024*  Managed 
24+2GB  Ethernet  Switch,  add  $549 


PowerEdge™  2650  Server 

2U  Scalable  Rack  Server  with  High  Processing  Power 

•  Intel®  Xeon”  Processor  at  2.40GHz 

•  Dual  Intel®  Xeon™  Processor  Capable  (Up  to  2.80GHz) 

•  256MB  200MHz  ECC  DDR  SDRAM  (Up  to  6GB) 

•  36GB  (10K  RPM)  SCSI  Hard  Drive  (Up  to  146GB  HD  Avail) 

•  Upgradeable  to  730GB  of  Internal  Hard  Drive  Storage 

•  Dual-Embedded  Gigabit50  NICs 

•  Dual-Channel  Integrated  SCSI  Controller 

•  Active  ID  Front  Bezel  for  Monitoring  System  Health 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  low  as  $49/mo.,  (46  pmts*) 

V  |  /  E-VALUE  Code:  17632-S20617g 

For  a  complete  server  solution  we  recommend  these  additions: 

•  PowerConnect  3248*  Managed  48+2GB  Switch,  add  $999 

•  PowerVault  112T-DDS4  (Dual  Drive  Capable) 

Tape  Back-Up,  add  $1499 


The  answers  you  need.  Easy 
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Click  www.dell.com/bizsolutions  Call  1-800-627-1420 


LENDER,  Minimum  transaction  size  of  $500  required.  Maximum  aggregate  financed  amount  for  the  paperless  acceptance  QuickLoan  not  to  exceed  $25,000.  If  your  order  exceeds  $25K,  a  Dell  Financial  Services  rep  will  contact 
you  to  process  your  documentation.  Taxes,  fees  and  shipping  charges  are  extra  and  may  vary.  Not  valid  on  past  orders  or  financing.  QuickLoan  arranged  by  CIT  Bank  to  Small  Business  customers  with  approved  credit.  ®This  term 
indicates  compliance  with  IEEE  standard  802.3ab  for  Gigabit  Ethernet,  and  does  not  connote  actual  operating  speed  of  1  GB/sec.  For  high  speed  transmission,  connection  to  a  Gigabit  Ethernet  server  and  network  infrastructure  is 
required.  Dell,  the  stylized  E  logo,  E-Value.  PowerEdge,  PowerConnect  and  PowerVault  are  trademarks  of  Dell  Computer  Corporation.  Intel,  Intel  Inside,  the  Intel  Inside  logo.  Pentium  and  Xeon  are  trademarks  or  registered  trademarks 
of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ©2003  Dell  Computer  Corporation.  All  rights  reserved. 
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IT  is  late  to  embrace  risk  analysis, 
but  without  it,  project  portfolio 
management  is  nothing  more 
than  a  fad 

BY  SCOTT  BERINATO 

*  l 

t 


The  Soufrtere  Hills  volcano  has  turned  the  island  of 
Montserrat  into  a  living  laboratory  for  risk  analysis. 
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Montserrat  is  one  of  the  many  islands  sprinkled  among  the  Caribbean 
West  Indies.  In  just  39  square  miles,  it  boasts  mountains,  rain  forests,  beaches  and 
groves  of  bananas,  mangoes  and  coconuts.  The  air  temperature  rarely  dips  below 
78  degrees  and  neither  does  the  water. 

In  short,  Montserrat  is  paradise.  Or  it  would  be  but  for  the  Soufriere  Hills 
volcano,  which  erupted  for  the  first  time  in  July  1995  and  hasn’t  stopped  since. 


Soufriere  Hills  has  rendered  nearly  two- 
thirds  of  the  island — an  area  now  called  the 
Exclusion  Zone — uninhabitable.  Since  1995, 
the  island’s  population  has  fallen  from 
11,000  to  4,000.  The  volcano  has  buried  Ply¬ 
mouth,  the  former  capital.  It  killed  20  people 
in  one  violent  belch  in  1997.  It  has  suffocated 
the  economy,  once  driven  by  tourism  and 
rock  stars  like  Sting,  the  Stones  and  Paul 
McCartney,  who  partied  and  recorded  music 
there  at  Air  Studios,  the  recording  facility 
once  owned  by  the  Beatles’  former  producer 
George  Martin  but  now  buried  by  the  volcano. 

This  dichotomy — Eden  on  one  side  of  the  island,  the  fires 
of  Hell  on  the  other — makes  Montserrat  a  perfect  laboratory 
for  risk  analysis.  Just  as  much  of  Montserrat  is  buried  in  ash, 
it’s  also  buried  in  probabilities.  Scientists  know,  for  example, 
that  there’s  only  a  3  percent  chance  that  Soufriere  Hills  will 
stop  erupting  in  the  next  six  months.  They  also  know  there’s 
a  10  percent  chance  of  injury  from  the  volcano  at  the  border 
of  the  Exclusion  Zone,  and  they  can  draw  an  imaginary  line 
across  the  island  where  the  threat  from  the  volcano  equals 
the  threat  from  hurricanes  and  earthquakes. 

“Thirty  years  ago,  you  needed  the  biggest  computer  in  the 
world  to  do  the  statistical  risk  analysis,”  says  Willy  Aspinall, 
who  helped  develop  these  figures  in  the  shadow  of  Soufriere 
Hills.  “Now  all  you  need  is  a  laptop  and  a  spreadsheet.”  He 


says  the  risk  calculations  get  better  and 
more  textured  all  the  time.  He  uses  Monte 
Carlo  risk  analysis  simulation  software  and 
spreadsheets  to  quantify  the  risk  levels  that 
help  decision-makers  minimize  the  volcano’s 
threat  to  people’s  lives. 

If  this  type  of  risk  analysis  is  good  enough 
for  Aspinall,  it  ought  to  be  good  enough  for 
CIOs,  especially  now  that  they’re  working 
in  an  economic  environment  looming  as 
ominously  over  their  businesses  as  Soufriere 
Hills  looms  over  Montserrat.  For  the  most 
part,  though,  CIOs  have  not  adopted  statistical  analysis  tools 
to  analyze  and  mitigate  risk  for  software  project  management. 
This  is  why  they  should. 

Risky  Business 

Experts  will  tell  you  that  statistical  risk  analysis  is  as 
essential  to  real  portfolio  management  as  a  processor  is 
to  a  computet  Without  it,  portfolio  management  is  sim¬ 
ply  a  way  to  organize  the  view  of  projects  that  will  almost 
certainly  fail.  CIOs  who  are  serious  about  portfolio  manage¬ 
ment  need  to  be  serious  about  statistical  risk  management. 
(For  more  on  portfolio  management,  see  “Portfolio  Manage¬ 
ment:  How  to  Do  It  Right”  at  www.cio.com/printlinks.) 

“If  you  don’t  succeed  with  risk  management,  you  won’t 
succeed  with  project  portfolio  management,”  says  Raytheon 


Reader  ROI 

►  Realize  the  importance 
of  quantifying  risk 

►  Understand  howto 
use  statistical  simula¬ 
tions  to  map  risks 
and  probabilities 

►  Develop  a  risk  analysis 
process 
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CIO  Rebecca  Rhoads,  who  credits  risk  man¬ 
agement  with  lowering  her  project  failure 
rate  and  helping  Raytheon  IT  achieve  its 
cost-performance  targets.  Rhoads  is  ahead 
of  the  curve,  but  despite  her  engineering 
background,  she  has  yet  to  apply  the  kind  of 
sophisticated  statistical  analysis  that  Aspinall 
uses  for  his  volcano. 

Robert  Sanchez,  senior  vice  president  and 
CIO  of  Ryder,  credits  risk  analysis  with 
bringing  order  to  his  company’s  decision¬ 
making  process  for  projects.  He  would  wel¬ 
come  statistical  analysis,  but  he’s  not  there 
yet.  “Have  we  really  embraced  it  completely 
and  understood  it  in  all  of  its  detail?” 
Sanchez  asks  rhetorically.  “No,  we  haven’t. 
But  we  will.” 

CIOs  should  become  familiar  with  two 
statistical  tools.  They  are  the  colorfully 
named  workhorses  of  risk  analysis:  Monte 
Carlo  simulation  and  decision  tree  analysis. 
Probabilities  figure  heavily  into  both,  which 
means  that  risk  has  to  be  quantified.  CIOs 
must  draw  their  own  line  between  the 
Exclusion  Zone,  where  it’s  too  risky  to  ven¬ 
ture,  and  the  beaches,  rain  forests  and 

The  Five  Universal 
Risks  to  Software 
Projects 

1  Schedule  flaws  Either  an  error  in 
the  original  schedule  or  an  error  in  the 
way  the  project  is  run  can  affect  its  timing. 

Requirements  inflation  This 
happens  when  what  is  needed  from 
the  project  changes  during  development. 

Staff  turnover  When  key  people 
leave  during  a  project,  it  can  have 
a  serious  impact  on  continuity  and  schedule. 

Specification  breakdown 

Anything  less  than  complete  agree¬ 
ment  on  project  specifications  can  be  fatal. 

Underperformance  Substandard 
work  by  anyone  on  the  development 
team  will  affect  project  quality. 

SOURCE:  WALTZING  WITH  BEARS 


coconut  groves,  where  the  living  is  easy  and 
the  threats  are  manageable. 

The  Trap  of 
Common  Sense 

ven  a  simple  task  like  choosing  to 
drive  to  work  requires  a  risk  assess¬ 
ment,  although  not  a  computational 
one;  you  can  do  shorthand  probability  in 
your  head.  Though  the  cost  of  being  wrong 
is  high,  the  risk  is  relatively  low  (a  5  percent 
probability  of  being  seriously  hurt  in  a  car 
accident)  and  easily  mitigated  by  wearing  a 
seat  belt. 

This  sort  of  informal  risk  analysis  can 
sometimes  be  useful.  Steve  Snodgrass,  CIO 
of  construction  materials  supplier  Granite 
Rock,  has  the  misfortune  of  managing  IT 
for  a  company  that  literally  straddles  the 
San  Andreas  Fault.  Snodgrass  doesn’t  need 
statistics  to  tell  him  that  it  would  be  a  bad 
idea  to  do  nothing  to  mitigate  the  possibil¬ 
ity  that  a  quake  will  take  out  his  critical 
applications.  So  he  outsources  his  applica¬ 
tions’  backup  far  from  the  fault  line. 

However,  CIOs  often  use  this  kind  of 
commonsense  reasoning  as  a  way  to  avoid 


Raytheon  CIO  Rebecca  Rhoads  credits 
formalized  risk  management  with  lowering 
her  company’s  project  failure  rate. 

doing  real  risk  analysis,  say  Tom  DeMarco 
and  Timothy  Lister,  authors  of  Waltzing 
with  Bears:  Managing  Risk  on  Software 
Projects ,  a  primer  on  statistical  risk  analysis 
for  IT.  “It’s  been  very  frustrating  to  see  a 
best  practice  like  statistical  analysis  shunned 
in  IT,”  says  Lister.  “It  seems  there’s  this  enor¬ 
mously  strong  cultural  pull  in  IT  to  avoid 
looking  at  the  downside.” 

In  lieu  of  choosing  projects  based  on 
acceptable  risk,  Ryder’s  Sanchez  says,  IT 
often  uses  what  he  calls  the  moral  argument, 
in  which  the  greatest  risk  lies  in  not  doing 
the  project.  Therefore,  the  risk  is  mitigated 
by  doing  the  project.  This  reasoning  was 
particularly  valid  during  the  boom  years 
when  there  was  a  palpable  fear  of  getting 
left  behind  technologically.  But  it  was  never 
called  risk  analysis.  “I  came  into  IT  and  was 
never  really  comfortable  with  the  moral 
argument,”  says  Sanchez,  whose  back¬ 
ground  is  in  engineering  and  finance.  “I  was 
looking  at  it  thinking,  We  analyze  the  risk  of 
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The  Shape  of  Risk 


Even  without  any  numbers,  the  basic  probability  curve  can  convey 
plenty  of  information  about  the  risk  it  describes.  Here’s  a  cheat  sheet 
for  deciphering  probability  curves. 

The  Basic  Curve  The  basic  probability 
curve  looks  like  an  anthill.  Here,  the  X  axis 
represents  potential  outcomes  from  worst 
to  best,  going  left  to  right.  The  Y  axis  repre¬ 
sents  the  probability  of  those  outcomes, 
from  lowest  to  highest,  going  bottom  to  top. 

The  highest  point  on  the  curve  indicates  the 
most  likely  outcome  of  the  risk.  The  best 
case  falls  at  the  far  right  and  worst  case  far 
left,  both  with  the  lowest  probabilities  of  occurrence. 

A  steeper,  narrower  curve  (the  red  line)  represents  more  certainty  about  the 
outcome,  since  more  potential  outcomes  fall  in  a  smaller  range.  A  low,  broad  curve 
(the  blue  line)  represents  less  certainty  about  a  risk’s  potential  impact  on  a 
project.  With  this  understanding,  you  can  determine  the  likelihood  of  potential  risk 
outcomes  with  a  quick  look  at  a  distribution  chart. 


The  Optimistic  Curve  While  steep¬ 
ness  of  the  curve  indicates  certainty, 
its  tilt  describes  relative  outlook. 

A  risk  distribution  that  tilts  to  the  right 
represents  a  more  optimistic  outlook, 
since  the  higher  proba¬ 
bility  results  are  closer 
to  the  best  possible 
outcome. 


The  Pessimistic  Curve  On  the  other 
hand,  a  curve  that  leans 
to  the  left  shows  a  more 
pessimistic  view  of  the 
risk,  since  there's  more 
probability  that  the  outcome  will  fall  on 
the  worst-case  side  of  the  spectrum. 


building  a  new  office,  but  we  don’t  on  an 
ERP  system  that  costs  the  same  amount.” 

How  to  Create  a 
Risk  Analysis  Process 

As  the  director  of  foreign  exchange  at 
Merck,  Art  Misyan  uses  statistical 
risk  analysis  for  evaluating  the 
impact  of  foreign  currency  volatility.  Like 
Sanchez,  he’s  puzzled  by  IT’s  laissez-faire 
attitude  toward  risk  analysis.  “Risk  gives 
you  the  ability  to  look  at  a  whole  range  of 
outcomes,  but  IT  looks  at  only  two  possible 
outcomes,”  he  says.  “Either  you  hit  dead¬ 
lines  or  budgets,  or  you  don’t.” 

IT  needs  to  think  in  probabilities,  Misyan 
says,  not  ones  and  zeros.  The  best  way  to 
start  is  for  the  CIO  to  formalize  the  risk 
process.  “First  you  have  to  set  up  a  process 


to  determine  and  track  risks,”  he  says.  The 
good  news  is  that  much  of  the  risk  process  is 
built  into  project  management  methodolo¬ 
gies  CIOs  have  been  adopting  anyway,  so  it 
should  be  familiar.  Here  are  the  basics  for 
developing  a  risk  analysis  process. 

Gather  experts  to  determine  project 
risks.  These  brainstorming  sessions  should 
be  free  and  creative.  “You  want  the  pessimist 
in  the  group,  the  dark  cloud,”  says  Anne 
Rogers,  director  of  information  safeguards 
at  Waste  Management,  who  teaches  risk 
analysis.  “You  want  the  person  that  will  ask. 
What  if  a  truck  ran  into  the  building?” 

When  you  don’t  ask  the  off-the-wall  ques¬ 
tion,  you  run  the  risk  of  smacking  into  it. 
“Motorola  gambled  on  developing  Iridium 
satellite  phones  and  charging  $7  a  minute,” 
recalls  DeMarco.  “No  one  seemed  to  won¬ 


der  what  would  happen  if  cell  phones  came 
along  offering  similar  service  for  10  cents  a 
minute  and  free  nights  and  weekends.” 

Assign  researchers  to  uncover  known 
risks.  “We  came  up  with  20  or  30  risks  we 
knew  we’d  face  by  research,”  says  Sandy 
Lazar,  director  of  key  systems  for  the  Dis¬ 
trict  of  Columbia,  who  is  overseeing  a  five- 
year,  $71.5  million  administrative  systems 
modernization  program  (see  “Get  a  Grip  on 
Risk”  at  www.cio.com/printlinks).  “If  you 
read  up,  you  realize  ERP  has  failed  over  and 
over  for  the  same  reasons  for  15  years  now.” 
In  fact,  there  are  five  typical  risks  to  soft¬ 
ware  projects  that  every  CIO  should  include 
in  a  risk  analysis  (see  “The  Five  Universal 
Risks  to  Software  Projects,”  Page  62). 

Divide  risks  into  two  categories— local 
and  global.  The  risk  of  staff  turnover  during 
a  project  is  a  local  risk.  War  is  a  global  risk. 
Often,  those  new  to  risk  analysis  focus  only 
on  the  local  risks,  but  they  need  to  consider 
the  global  risks  and  their  impact. 

Create  a  template  for  each  risk.  The 
template  should  include  a  unique  risk  num¬ 
ber,  a  risk  owner,  potential  costs  (in  dollars 
and  other  terms),  a  probability  of  occurrence 
(a  low-medium-high  scale  will  do  at  this 
point),  any  potential  red  flags  or  signs  that 
the  risk  is  materializing,  mitigation  strate¬ 
gies  and  a  postmortem  for  noting  if  the  risk 
factor  actually  happened.  (A  good  example 
of  such  a  template  can  be  found  in  Waltzing 
with  Bears.  See  “Risk  Control  Form”  at 
www,  do.  com/printlinks . ) 

One  important  footnote  for  developing 
this  process:  Value  consistency  over  accuracy. 
If  you  do  things  in  a  consistent  manner  and 
the  numbers  are  off,  at  least  they’ll  be  off  in 
a  consistent — and  therefore  fixable — way. 
“The  process,”  says  Raytheon’s  Rhoads,  “is 
so  much  more  important  than  the  math 
rigor.  Mature,  consistent  processes — you 
need  that  first.” 

How  to  Use  Monte  Carlo 
Simulations 

nee  you  have  a  repository  of  proj¬ 
ect  risks,  you  can  get  statistical.  The 
most  commonly  used  tool  for  this 
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is  the  Monte  Carlo  simulation.  This  tech¬ 
nique  was  developed  in  the  1940s  for  the 
Manhattan  Project.  It’s  used  today  for  every¬ 
thing  from  deciding  where  to  dig  for  oil  to 
optimizing  the  process  of  compacting  trash 
at  a  waste  treatment  facility.  It’s  a  decep¬ 
tively  simple  but  powerful  tool  for  risk 
analysis.  All  Monte  Carlo  really  does  is  roll 
the  dice  (hence  the  name). 

Here’s  the  theory:  Roll  a  die  100  times, 
and  record  the  results.  Each  face  will  come 
up  approximately  one-sixth  of  the  time — but 
not  exactly.  That’s  because  of  randomness. 
Roll  the  die  1,000  times,  and  the  distribution 
becomes  closer  to  one-sixth.  Roll  it  a  million 
times,  and  it  gets  much  closer  still. 

The  die  represents  risks — albeit  evenly 
distributed,  predictable  risks — where  each 


side  has  about  a  one-sixth  probability  of 
occurrence  or  a  five-sixths  probability  of  not 
occurring.  What  if  each  die  were  a  project 
risk  and  each  side  represented  a  possible  out¬ 
come  of  that  risk?  Say  one  die  was  for  the 
risk  of  project  delays  due  to  staff  turnover. 
One  side  would  represent  the  possibility  that 
the  project  is  six  months  late  because  of 
20  percent  turnover.  Another  side  could  rep¬ 
resent  a  two-year  delay  due  to  80  percent 
turnover.  The  die  could  also  be  unevenly 
weighted  so  that  certain  outcomes  are  more 
or  less  likely.  There  would,  of  course,  be  dice 
for  other  risks — sloppy  development,  budget 
cuts  or  any  other  factor  unearthed  during 
preliminary  research. 

Monte  Carlo  simulators  “roll”  all  those 
risks  together  and  record  the  combined  out- 


Anne  Rogers,  director  of  information  safe¬ 
guards  at  Waste  Management,  prefers 
decision  tree  risk  analysis  for  its  ability  to 
assess  sequential,  compounding  risks. 


comes.  The  more  you  roll  the  dice,  the  more 
exact  they  make  the  distribution  of  possible 
outcomes.  What  you  end  up  with  resembles 
an  anthill  (see  “The  Shape  of  Risk,”  Page 
64),  where  the  highest  point  on  the  curve  is 
the  most  likely  outcome  and  the  lowest  ends 
are  possible  but  less  likely. 

Once  you  determine  a  project’s  risk  pro¬ 
file,  you  can  build  in  extra  resources  (like 
money  and  time)  to  mitigate  the  risks  on  the 
highest  points  of  the  curve.  If  the  distribu¬ 
tion  says  there’s  a  50  percent  probability  the 
project  will  run  six  months  late,  you  might 
decide  to  build  three  extra  months  into  the 
schedule  to  mitigate  that  risk. 

Monte  Carlo  simulators  also  let  you  run 
“sensitivity  analyses” — rolling  only  one  die 
while  keeping  the  others  fixed  on  a  particu¬ 
lar  outcome  to  see  what  happens  when  just 
one  risk  changes.  A  health-care  company 
(that  requested  anonymity)  using  a  Monte 
Carlo  simulator  from  Glomark  ran  a  sensi¬ 
tivity  analysis  for  a  pending  software  proj¬ 
ect.  Each  die  was  rolled,  one  at  a  time,  500 
times  while  the  other  dice  were  kept  fixed 
on  their  most  likely  outcomes.  The  exercise 
showed  that  three  of  the  nine  risks  repre¬ 
sented  87  percent  of  the  potential  impact  on 
the  project — allowing  the  company  to  focus 
its  energy  there. 

You  can  (and  should)  repeat  Monte  Carlo 
simulations  for  all  the  projects  in  your  port¬ 
folio,  ranking  them  from  riskiest  to  safest. 
This  will  help  you  generate  an  “efficient  fron¬ 
tier” — a  line  that  shows  the  combination  of 
projects  that  provide  the  highest  benefit  at  a 
predetermined  level  of  risk — something  like 
the  line  across  Montserrat.  An  efficient  fron¬ 
tier  helps  you  avoid  unnecessary  risk.  It  will 
help  stop  you  from  choosing  one  project 
portfolio  that  has  the  same  risk  but  lower 
benefits  than  another. 

Admittedly,  this  description  glosses  over 
some  of  Monte  Carlo’s  dirty  work.  Some- 
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one  has  to  determine  which  dots  to  put  on 
the  dice  and  how  to  weight  the  individual 
dots.  That’s  your  job.  Canvass  your  experts, 
mine  historical  data,  and  do  whatever  else 
you  can  to  come  up  with  possible  outcomes 
from  each  risk,  and  then  estimate  the  prob¬ 
ability  of  that  result  occurring.  In  other 
words,  the  risks  themselves  are  a  range  of 
outcomes  contributing  to  a  further  range  of 
possible  outcomes  for  any  given  project,  or 
even  combinations  of  projects. 

The  best  way  to  create  the  risk  dice  is 
with  a  triangle  distribution.  Determine  three 
data  points:  the  best  case  outcome,  the  worst 
case  and  the  most  likely  case.  Assume  the 
best  and  worst  cases  have  low  probabilities 
and  the  most  likely  case  is  somewhere  in 
between.  (See  Figure  1,  below.) 

Figure  1.  Triangle  Distribution 


In  the  staff  turnover  example,  the  worst 
case  might  be  a  two-year  delay  due  to  80  per¬ 
cent  turnover.  The  best  case  may  be  no  delay 
due  to  no  turnover.  The  most  likely — based 
on  experience  and  research — might  be  the 
previously  stated  six-month  delay  from 
20  percent  turnover.  Chart  this  on  a  proba¬ 
bility  distribution  grid,  and  you  get  a  triangle. 

Take  that  triangle  and  others  you  create 
for  all  project  risks,  run  Monte  Carlo  simu¬ 
lations,  and  you’ll  come  up  with  the  smooth 
anthill  curve  that  shows  overall  risks  to  your 
project. 

Vitro,  a  $2.6  billion  glass  company  in 
Monterrey,  Mexico,  has  done  this  on  many 
IT  projects  (it’s  now  required  for  projects 
valued  at  more  than  $20,000).  “No  one 
wanted  to  measure  at  first,”  says  Gustavo 
Benitez,  manager  of  Vitro’s  IT  supply  chain. 
“Because  measuring  makes  you  accountable. 
We’re  not  that  deep  into  it;  we  only  use  best 
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When  to  Use  Which  Tool 

Both  Monte  Carlo  and  decision  tree  analyses  are  powerful  tools,  but  each  has  its 
particular  strengths.  Monte  Carlo  simulations  are  good  for  accounting  for  multiple 
risks  occurring  simultaneously.  Decision  trees  excel  at  analyzing  sequential  risks 
compounding  over  time.  Given  those  frameworks,  here’s  a  look  at  several  scenarios 
and  whether  you  would  be  better  off  rolling  the  dice  or  climbing  the  tree. 


Decision  Tree 

Monte  Carlo 

Decision  based  on  monetary  value 

Decision  based  on  criteria  other  than 
value,  such  as  a  schedule 

Sequential  decisions  required 

Decisions  involve  one  variable 

Few  variables  or  low  probability 

More  than  five  variables  in  complex 

variables  that  are  easily  calculated 

environment 

Analyzing  two  possible  decisions 
against  each  other 

Analyzing  an  entire  portfolio  strategy 

SOURCE:  RISK  AND  DECISION  ANALYSIS  IN  PROJECTS  BY  JOHN  R.  SCHUYLER 


case,  worst  case  and  most  likely,  and  already 
it  helps.  It  helps  you  see  different  scenarios.” 

Certain  risk  metrics  are  predetermined. 
DeMarco  and  Lister’s  five  core  risks  to  soft¬ 
ware  projects  have  been  given  probability 
distributions  based  on  historical  data.  If 
you’re  still  worried  about  assigning  a  mean¬ 
ingful  number  to  risks,  Lister  says  relax  and 
just  guess.  “Guess  a  number  just  to  get 
going,”  he  says.  “Even  that  will  be  better 
than  how  IT  approaches  risk  today.” 

How  to  Do  Decision 
Tree  Analysis 

The  other  major  risk  analysis  method¬ 
ology  applicable  to  IT  project  port¬ 
folio  management  is  decision  tree 
analysis.  Where  Monte  Carlo  excels  at 
shaping  what  happens  when  many  risks  are 
in  play  at  once  (such  as  launching  an  ERP 
project),  a  decision  tree  proves  most  useful 
at  mapping  either-or  situations  and  the 
sequential  risks  that  follow  each  decision 
(for  example,  either  I  build  a  new  factory 
or  retrofit  an  old  one).  Each  choice  is  a 
branch  with  an  attached  probability, 
derived  the  same  way  all  risks  are  derived — 
through  brainstorming  and  research.  Each 
branch  leads  to  other  branches,  which  are 
the  risks  that  result  from  choosing  the  orig¬ 
inal  branch. 

The  key  to  analyzing  decision  trees  is 
knowing  that  the  probabilities  compound. 
This  is  why  Waste  Management’s  Rogers 
likes  them.  Decision  trees  often  show  that 
good  risk  decisions  are  counterintuitive,  if 
you  follow  the  branches.  “I’ll  give  some 
outlandish  choice,  like  rewiring  your  office 
or  building  a  new  one,”  Rogers  says. 
“Everyone  thinks  they  know  which  is  less 
risky,  but  you  watch  the  risks  compound 
over  time  and  guess  what,  it’s  not  nearly 

CIO.COm  Don’t  risk  playing  with  fire 
any  longer.  Go  online  to  find  the  Waltzing 
With  Bears  RISK  CONTROL  FORM  as  well  as 
an  INTERACTIVE  MONTE  CARLO  risk 
analysis  tool.  Go  to  the  online  version  of 
this  article,  “Playing  with  Fire,”  at 
www. cio. com/070103. 


as  risky  as  you  think  to  build  a  new  office 
in  certain  situations.” 

Decision  trees  are  also  powerful  presen¬ 
tation  tools  for  executives,  as  long  as  you 
don’t  drop  an  entire  tree  on  the  CEO.  They 
can  be  unwieldy.  They  branch  out  quickly 
with  thousands  of  potential  paths.  A  CIO 
must  keep  them  under  control.  To  demon¬ 
strate  the  path  of  certain  decisions,  limit  the 
branches  to  only  the  most  important  risks, 
and  simply  leave  out  remote  risks. 

Final  Analysis 

Risk  analysis  takes  some  getting  used 
to.  Anyone  not  steeped  in  this  world 
may  misinterpret  the  results  of  any 
given  analysis.  For  example,  if  you  say 
there’s  a  90  percent  chance  it  will  rain 
tomorrow,  and  the  day  ends  up  being  sunny, 
your  analysis  still  may  have  been  perfect. 
There  was,  after  all,  a  one  in  10  chance  the 
sun  would  shine,  and  indeed  it  did. 

The  hardest  part  of  risk,  especially  for 
CIOs,  is  that  it  doesn’t  provide  concrete 
answers.  Risk  analysis  will  not  tell  you 
which  project  to  do.  It  will  tell  you  which 
ones  fall  into  a  certain  level  of  risk  and 
payoff.  Provide  the  same  IT  portfolio  and 
the  same  risk  analysis  to  Rogers  of  Waste 
Management  and  Lynn  Caddell,  CIO  of 


Yellow  Freight,  and  they  will  most  likely 
choose  a  different  set  of  projects  to  pursue. 

“We’re  not  real  risk-averse  right  now,” 
Rogers  notes.  “If  they’re  handled  right, 
we’re  ready  to  take  some  risks.” 

On  the  other  hand,  Caddell’s  current  cru¬ 
sade  is  to  ensure  timely  delivery  of  projects, 
and  she’s  not  eager  to  take  on  anything  that 
might  compromise  that  mission.  “Last  year 
we  were  96  percent  on  time  with  projects, 
and  I  attribute  that  to  risk  management,” 
she  says. 

Ultimately,  the  CIO  must  understand  his 
enterprise’s  culture  and  know  which  risks 
are  worth  taking.  No  amount  of  risk  analy¬ 
sis  will  lift  the  decision-making  burden  from 
the  CIO’s  shoulders  or  ensure  the  success  of 
any  project.  Risk  analysis  is  a  tool,  not  a 
substitute  for  leadership.  After  all,  it  takes  a 
leader  to  understand  that  although  there’s 
no  such  thing  as  a  sure  bet,  decisions  must 
be  made. 

“In  these  matters,  the  only  certainty  is 
that  nothing  is  certain,”  famously  noted 
Pliny  the  Elder,  who,  incidentally,  died  from 
ash  inhalation  in  79  A.D.,  when  the  volcano 
Mount  Vesuvius  erupted.  QI3 


Senior  Editor  Scott  Berinato  can  be  reached  via 
e-mail  at  sberinato@cio.com. 
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Playing  by  New  Rules 


Health-Care  Security 


PUBLICATION  OF  THE  LONG-AWAITED  HIPAA  FINAL 

Security  Rule  in  February  didn’t  exactly  create  the  frenzy  of  a  new  Harry  Potter 
novel  hitting  the  bookshelves.  Health-care  CIOs  were,  after  all,  busy  worrying 
about  complying  with  the  April  14,  2003,  deadline  for  the  Privacy  Rule— and  then 
there  is  the  October  2003  deadline  for  HIPAA  Transaction  and  Code  Standards  to 
contend  with.  It  would  be  easy  for  companies  to  put  the  Security  Rule  lower  on  the 
priority  list  since  the  government’s  compliance  deadline  is  still  two  years  away.  Yet 
while  it’s  tempting  to  ration  the  number  of  brain  cells  devoted  to  HIPAA  (the 
Health  Insurance  Portability  and  Accountability  Act  of  1996),  health-care  CIOs 
can’t  afford  to  put  security  on  the  back  burner  for  long— if  at  all. 

“It’s  true  that  from  the  perspective  of  the  Department  of  Health 
and  Human  Services,  the  Security  Rule  is  not  enforceable  until  April 
21,  2005.  But  HHS  could  impose  penalties  for  security  breaches 
based  on  the  Privacy  Rule,  so  by  any  other  measure,  you  should’ve 
done  it  yesterday,”  says  Kate  Borten,  president  of  health-care  security 
and  privacy  consultancy  The  Marblehead  Group  and  author  of 
HIPAA  Security  Made  Simple.  “Don’t  get  lulled  into  thinking  you 
have  a  couple  of  years.” 

While  HIPAA  fines  won’t  likely  be  levied  for  any  security  breaches 
that  occur  before  2005,  should  your  organization  suffer  a  breach 
tomorrow  you  can  expect  to  find  yourself  on  the  front  page  of  The 
New  York  Times  or  the  target  of  a  class-action  lawsuit  on  behalf  of 
patients  whose  data  was  exposed.  And  either  of  those  things  could 
make  HIPAA  penalties  seem  as  harmless  as  drawing  the  “Go  to  jail” 
card  in  a  Monopoly  game. 

Yet  so  far,  less  than  10  percent  of  health-care  organizations  recently 
polled  by  Gartner  Research  have  implemented  the  security  policies  and 
procedures  required  by  HIPAA.  And  only  78  percent  of  health-care 
providers  met  the  April  deadline  for  Privacy  Rule  compliance,  accord¬ 
ing  to  the  Health  Information  and  Management  Systems  Society.  Many 
organizations  are  waiting  to  see  what  will  happen  to  noncompliers. 

“They  figure  the  fines  are  cheaper  than  going  into  HIPAA  compliance,” 
says  Wes  Rishel,  vice  president  and  research  area  director  at  Gartner. 

“That’s  a  dangerous  attitude.” 

While  enforcement  may  not  be  stringent  at  first,  he  predicts  that 
the  government,  along  with  the  Joint  Commission  on  Accreditation  of 


LAYING  BY 
EW  RULES 

our  Risks  and 
Responsibilitie 


PART  3 


Editor's  Note:  This  story  is  the  third  in 
our  series  about  key  legislation  that 
profoundly  affects  how  your  company 
manages  data,  ensures  security  and 
protects  privacy.  Find  the  first  two  arti¬ 
cles,  on  the  USA  Patriot  and  Sarbanes- 
Oxley  Acts,  at  www.cio.com/newrules. 


Reader  ROI 

►  Why  smart  CiOs  have  already 
started  implementing  HIPAA’s 
Security  Rule 

►  How  to  analyze  your  vulner¬ 
abilities  and  assess  your  risk 

►  Why  HIPAA  compliance  is  a 
never-ending  process 


www.cio.com  •  JULY  1.  2003  CIO  71 


Ipf&ri, 


Questions  are  everywhere.  Insight  is  not  Making  important 


decisions  is  your  job.  Delivering  the  insight  to  help  you  make 


smarter  decisions  is  ours.  We  are  Microsoft  Business  Solutions. 


Financial  Management 


Analytics 


Project  Management 


Human  Resource  Management 


Customer  Relationship  Managemer 


'•  rv:;~  > '  5*  m 


■  .  .  >  -  ?;  •>,•«.  ••  \ 

;v  \ 

1  \ 

V ■;•■■•  '  •.  •  •  .-V»-' ..  »:'.  :  ,'•'  .'••  \  . 


With  business  applications  and  services  from  financial  management  to  customer  relationship  management,  we 
have  the  experience  and  resources  to  help  you  succeed  in  a  business  world  where  surprises  are  daily  events.  To 
learn  more,  visit  microsoft.com/BusinessSolutions/lnsight  Software  for  the  Agile  Business. 


Microsoft 

Solutions 


Field  Service  Management 


Supply  Chain  Management 


Manufacturing 


Retail  Management 


E-Commerce 


Playing  by  New  Rules  |  Health-Care  Security 


Healthcare  Organizations,  or  JCAHO,  will 
eventually  crack  down  on  those  organiza¬ 
tions  that  have  “fallen  to  the  back  of  the 
pack”  in  compliance.  “You  don’t  need  to 
be  the  first,  but  you  don’t  want  to  be  the 
last,”  Rishel  warned  at  a  recent  Gartner 
symposium. 

One  major  challenge  in  complying  with 
HIPAA  is  ensuring  the  security  of  technolo¬ 
gies  that  are  still  evolving,  such  as  wireless 
PDAs.  Hackers,  after  all,  are  often  one  step 
ahead  of  security  tool  developers.  “With 
Y2K  there  were  technologies  and  techniques 
[to  help  ease  the  transition  to  the  new  mil¬ 
lennium]  in  the  industry  prior  to  the  arrival 
of  Dec.  31,  1999,”  says  Stephanie  Reel,  CIO 
and  vice  president  of  IS  at  The  Johns  Hop¬ 
kins  University.  “I’m  not  as  comfortable  that 
all  of  the  technologies  will  be  available  as 
needed  to  make  the  environment  as  secure 
as  it  should  be.” 

Still,  Reel  can’t  argue  with  HIPAA’s  goals. 
“Most  of  the  HIPAA  legislation  is  good 
common  sense,”  she  says.  “It’s  the  execu¬ 
tion  that  gives  us  all  a  little  heartburn.” 


To  help  minimize  HIPAA  heartburn, 
here’s  a  checklist  to  help  you  jump-start  your 
Security  Rule  compliance  plan. 


Do  Your 

Homework _ 

The  final  rule  reads  like  a  syllabus 
for  Infosec  101:  a  list  of  best  prac¬ 
tices  in  information  security  designed  to 
ensure  the  confidentiality,  integrity  and  avail¬ 
ability  of  electronic  patient  data.  And  that’s 
good  news  for  CIOs.  “A  lot  of  what  they’re 
telling  us  to  do  under  the  Security  Rule  are 
really  things  we  needed  to  do  anyway,”  says 
John  Houston,  privacy  officer  and  director 
of  IS  for  the  University  of  Pittsburgh  Med¬ 
ical  Center  (UPMC). 

At  Johns  Hopkins,  Reel  has  already 
invested  in  intrusion  detection  and  antivirus 
software,  and  has  established  audit  trails, 
tracking,  disaster  recovery,  data  backup  and 
emergency  operations  plans.  With  the 
weight  of  law  behind  it,  HIPAA  gives  CIOs 
the  leverage  (and  funding  justification) 


How  to  Meet  HIPAA’s 
Security  Deadline 

If  you  haven’t  already  started  the  first  phase  of  compliance, 
better  get  cracking.  Here’s  howto  break  compliance  down  into 
three  manageable  phases  and  a  schedule  fortackling  them. 
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they  need  to  shore  up  security. 

The  rule  itself  outlines  some  40  best  prac¬ 
tices  in  administrative,  physical  and  technical 
security.  (Visit  www.cio.com/printlinks  for 
links  to  a  summary  of  the  rule  and  other 
HIPAA  resources.)  It  is  appropriately  tech¬ 
nology  neutral,  since  what  works  well  for  a 
large  hospital  or  insurance  company  might 
not  scale  to  a  small  doctor’s  office.  And  for 
the  same  reason,  the  rule  errs  on  the  side  of 
vagueness  versus  detailed  requirements.  “The 
security  regs  aren’t  all  that  prescriptive,”  says 
Phil  Kahn,  CIO  of  St.  Peter’s  Health  Care 
Services  in  Albany,  N.Y.  “They  don’t  tell  you 
exactly  how  to  solve  a  problem,  just  that 
you’re  responsible  for  the  security  of  data.” 

The  final  rule  was  watered  down  some¬ 
what  from  the  proposed  rule,  in  part,  says 
Borten,  because  of  the  Bush  administration’s 
laissez-faire  attitude  toward  business.  Sev¬ 
eral  things  that  were  required  in  the  pro¬ 
posed  rule,  such  as  encryption,  are  now 
classified  as  “addressable,”  meaning  that  if 
organizations  believe  that  something  is  not  a 
risk  to  them,  or  take  a  different  approach 
to  minimizing  that  risk,  they  must  document 
what  they’re  doing  and  why  it’s  appropri¬ 
ate.  Addressable  is  not,  however,  a  synonym 
for  optional.  At  Humana,  a  large,  Louisville, 
Ky.-based  health  benefits  company  with 
approximately  6  million  members,  Vice 
President  of  IT  Mitzi  Silliman  makes  no 
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distinction  between  the  two.  “Addressable?” 
she  says.  “We  read  that  as,  You’re  big,  you’d 
better  be  secure.” 


Prepare 

-tftDreeln . 

The  Security  Rule  and  its  April 
2005  deadline  should  already 
be  on  the  executive  radar  screen;  if  not,  get 
it  there.  Executive  buy-in  is  essential  to  a 
genuine  commitment  to  security.  You  also 
need  to  craft  a  communication  plan  to  raise 
employee  awareness  each  step  of  the  way. 
“You  need  to  tell  them  what  changes  are 
coming,  how  it  will  affect  them,  the  time 
frame  for  rollout  and  what  training  to 
expect,”  says  Cynthia  Smith,  senior  man¬ 
ager  with  PricewaterhouseCoopers’  HIPAA 
security  and  privacy  practice.  “If  the  end 
user  hasn’t  bought  in,  the  best  security  plan 
in  the  world  won’t  work.” 

Organizations  should  also  establish  a 
HIPAA  security  team  and  are  now  required 
to  appoint  someone  to  oversee  security. 
Chances  are,  you  can  draw  on  much  of  your 
HIPAA  privacy  compliance  team  for  the 
security  compliance  team.  But  don’t  assume 
that  oversight  of  security  belongs  in  your 
bailiwick.  Having  the  CIO  in  charge  of  secu¬ 
rity  isn’t  necessarily  in  the  organization’s  best 
interest.  “The  average  CIO  or  director  of  IT 


Stephanie  Reel,  CIO  for  Johns  Hopkins,  has 
already  implemented  much  of  the  security 
provisions  required  by  HIPAA  to  protect  her 
patients’  privacy  and  secure  her  systems. 

does  not  have  an  information  security  back¬ 
ground,”  says  Marblehead  Group’s  Borten. 
Chris  Byrnes,  vice  president  and  director  for 
security  at  Meta  Group,  recommends  that 
CIOs  use  HIPAA — and  its  requirement  that 
organizations  appoint  a  security  officer — as 
an  opportunity  to  transfer  overall  oversight 
of  security  to  someone  else.  “This  is  CIOs’ 
big  chance  to  reduce  their  own  liability  and 
to  ensure  that  it’s  viewed  as  a  corporate 
responsibility,”  he  says. 

Classify 

.YoucData . 

Before  you  can  begin  to  apply 
the  Security  Rule,  you  first 
need  a  very  clear  understanding  of  exactly 
what  electronic  patient  data  in  your  organ¬ 
ization  is  considered  protected  health  infor¬ 
mation,  or  PHI.  (The  Security  Rule  only 
deals  with  electronic  patient  data.)  You  also 
need  to  know  where  all  of  that  data  is  stored 
and  where  it’s  transmitted.  Fred  Langston, 
senior  principal  consultant  at  Guardent,  a 
managed  security  services  provider,  says  that 
many  organizations  skip  this  critical  first 
step — and  that  shortcut  often  costs  them 
money  in  the  long  run. 

Health-care  organizations  also  tend  to 
determine  which  data  employees  can  access 
on  a  case-by-case  basis.  This  user-based 
access  system  involves  setting  up  rights  and 
permissions  for  each  employee,  a  time- 
consuming  proposition.  Classifying  data 
often  leads  organizations  to  establish  a  role- 
based  access  system,  which  is  much  more 
efficient.  With  role-based  access,  organiza¬ 
tions  need  only  to  figure  out  access  rights  for 
each  role;  doctors,  for  example,  can  see  an 
entire  patient  record,  but  claims  adjusters 
should  get  access  only  to  the  information 
pertinent  to  a  specific  claim.  Role-based 
access  isn’t  mandated  by  HIPAA,  but  it’s  a 
cost-effective  way  of  meeting  the  legislation’s 
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requirement  that  data  is  available  only  on  an 
as-needed  basis.  “Role-based  access  is  a  key 
linchpin  to  successful  implementation  of 
HIPAA,”  says  Langston. 

You  also  need  to  understand  the  value  of 
your  data.  Most  hospitals  collect  patients’ 
Social  Security  numbers,  yet  many  don’t 
worry  enough  about  the  threat  of  identity 
theft.  “The  lightbulb  hasn’t  gone  on  yet 
about  the  monetary  value  of  those  IDs,” 
says  Langston.  They  are  readily  traded  on 
the  black  market  because  they  can  be  used 
to  establish  lines  of  credit. 

And  while  you’re  thinking  about  data, 
give  some  thought  to  how  you’re  going  to 
handle  the  avalanche  of  audit  data  that 
HIPAA  requires  you  to  collect  and  save. 
Many  electronic  audit  tools  are  built  into 
systems,  but  you’ve  got  to  turn  them  on,  and 
you’ve  got  to  have  a  plan  for  how  to  store 
and  manage  the  resulting  deluge  of  data. 
And  someone  has  to  look  at  the  logs.  “The 
analysis  of  the  information  is  either  going 
to  have  to  be  automated,”  or  you’ll  need  a 
staff  of  analysts  combing  through  your  data 
warehouse,  says  Meta  Group’s  Byrnes. 

Assess  Your 

Vulnerability. ... 

The  key  to  an  effective  secu¬ 
rity  program  is  to  understand 
the  risk  level  in  your  organization  and  then 
to  spend  appropriately  to  mitigate  that  risk. 
So  once  you  know  what  your  protected 
health  information  is  and  where  it  lives,  the 
next  step  is  to  audit  existing  security  poli¬ 
cies,  practices  and  technologies  to  assess 
how  well  that  data  is  protected. 

Security  audit  methodologies  abound. 
Langston  recommends  considering  either  the 
Factor  methodology,  or  Octave,  which  was 
developed  by  Carnegie  Mellon’s  Software 
Engineering  Institute.  UPMC’s  Houston  has 
been  working  with  vendor  SecureState  to 
develop  an  automated  self-assessment  tool 
that  he  plans  to  roll  out  on  his  intranet  to  a 
subset  of  IT  employees.  Their  answers  to  a 
series  of  questions  (for  example,  Do  you 
back  up  data  daily?  Do  you  store  backups 


offsite?)  will  help  Houston  determine  which 
areas  need  work  to  meet  HIPAA  standards. 
Houston  also  plans  to  use  the  tool  to  check 
ongoing  compliance  once  the  Security  Rule 
goes  into  effect. 

Before  you  do  your  audit,  make  sure  your 
staff  has  enough  expertise  to  do  it  well.  “If 
you  don’t  have  security  expertise,  get  it,  rent 
it,  buy  it  in  a  consultant,”  says  Greg  Walton, 
senior  vice  president  and  CIO  of  Carilion 
Health  System  in  Roanoke,  Va.  “You  have  a 
moral  obligation — forget  the  legal  obliga¬ 
tion — to  understand  how  totally  vulnerable 
you  are.” 

The  end  result  of  your  audit  and  gap 
analysis,  which  you  should  aim  to  finish  by 
year’s  end,  should  be  a  list  of  vulnerabilities 
showing  the  areas  in  which  your  security 
measures  fail  to  live  up  to  HIPAA  standards. 

Know  the  Risks  to 
Mitigate— and  How 

With  your  list  of  vulnerabilities 
in  hand,  you  can  now  figure 
out  which  are  reasonable  to  address.  To  do 
that,  you’ve  got  to  weigh  the  likelihood  and 
possible  resulting  damage  of  each  potential 
risk.  Most  breaches  to  date  haven’t  involved 
hackers  but  instead  have  been  low-tech 
thefts  of  hard  drives  or  floppy  disks,  often 
by  disgruntled  employees.  Last  December, 
for  instance,  thieves  stole  hard  drives  con¬ 
taining  more  than  500,000  members’  Social 
Security  numbers  from  the  Phoenix  office  of 
TriWest,  a  managed  care  provider  serving 
the  military.  TriWest  has  already  been  hit 
with  one  class  action  as  a  result  of  the  breach. 

“One  theft  of  a  hard  drive  can  bring  a 
company  to  its  knees  with  a  class-action 
suit,”  says  Lisa  Gallagher,  senior  vice  presi¬ 
dent  of  information  and  technology  accred¬ 
itation  at  URAC,  a  nonprofit  health-care 
accreditation  company. 

You  also  need  to  factor  in  the  cost  to 
implement  controls  that  will  mitigate  each 
risk.  Better  physical  security — locks,  con¬ 
trolled  access  to  data  storage  areas — would 
be  a  relatively  low-cost  way  to  foil  would-be 
thieves.  But  if  the  cost  to  mitigate  a  risk  is 


Are  you  set  to  save 
space  and  minimize 
installation  and 
maintenance  costs  with 
a  modular  manageable, 
pre-engineered 
architecture? 


"If  I  had  purchased  the  incumbent  vendor's 
3-phase  upgrade  model,  I  would  have  paid 
75%  more  in  service  costs  over  the  next  four 
years  and  I  would  have  had  to  utilize  50% 
more  of  my  precious  floor  space. " 


Captain  Timothy  Riley 

Support  Services  Division 

City  of  Newport  Beach  Police  Department 


Many  IT  professionals  have  switched 
from  an  inflexible  proprietary  system  to 
network  critical  physical  infrastructure. 
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greater  than  the  cost  of  the  potential  breach, 
you  shouldn’t  bother  with  mitigation.  “I’m 
not  sure  everyone  can  afford  to  be  like  Fort 
Knox,”  says  St.  Peter’s  Kahn. 

To  arrive  at  a  reasonable  investment  level 
for  disaster  recovery,  for  example,  consider 
how  critical  the  data  is  to  your  institution. 

Keep  in  mind  that 

there’s  no  such  thing 
as  HIPAA-compliant 
technology, 

although  vendors 
would  dearly  love 
to  convince  you 
otherwise. 


“Maybe  you  can’t  afford  full  100  percent 
hot  site  recovery  in  four  hours,”  says  Price- 
waterhouseCoopers’  Smith.  “Maybe  you 
bring  up  critical  systems  that  support  patients 
[right  away]  but  billing  can  wait  a  few  days.” 

At  Sentara  Healthcare,  Vice  President  and 
CIO  Bert  Reese  is  backing  up  the  company’s 
five  major  systems  for  patient  records,  clin¬ 
ical  support,  registration,  billing  and  payroll 
processing  at  a  remote  site  managed  by 
IBM.  For  everything  else,  he  and  CTO  Jerry 
Kevorkian  arranged  contracts  with  vendors 
to  deliver  replacement  processors  in  the 
event  of  a  natural  disaster  within  one  to  two 
days.  So  instead  of  paying  IBM  around 
$650,000  a  year  to  back  up  everything, 
Reese  spends  only  $150,000  to  back  up  the 
five  critical  systems,  saving  roughly  half  a 
million  a  year.  Of  course,  that  requires  hav¬ 
ing  well-documented  manual  processes  to 
fall  back  on  while  waiting  for  the  replace¬ 
ment  equipment  to  arrive. 


6  Prioritize  Your 

Project  List . 

Byrnes  recommends  tackling 
administrative  and  physical 
security  policies  and  procedures  first — and 
wrapping  them  up  by  April  2004,  since 


organizations  will  need  at  least  a  year  to 
implement  security  technology.  Borten  agrees 
that  ideally,  policy  should  come  first.  But  at 
the  University  of  Texas  M.D.  Anderson  Can¬ 
cer  Center,  CISO  Lew  Wagner  puts  technical 
work  ahead  of  policy  documentation.  “I’d 
rather  have  the  technology  in  place  first,  then 
worry  about  policy,  rather  than  have  a  bunch 
of  paper  and  still  be  hacked,”  he  says. 

Obviously,  any  gaping  security  holes 
should  go  to  the  top  of  your  HIPAA  tech¬ 
nology  project  list.  Langston  advises  putting 
in  temporary  controls  to  patch  your  worst 
security  holes  until  you  can  implement  a 
fully  developed  solution.  But  make  sure  your 
project  blueprint  spells  out  the  plan  for  per¬ 
manent  resolution.  “You  will  have  met  the 
heart  of  the  Security  Rule  if  you  have  a  road 
map  to  compliance,”  he  says. 
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Although  the  scope  of  what  your 
mSr  organization  needs  to  do  to 
comply  with  the  Security  Rule  will  drive 
your  implementation  schedule,  you  should 
plan  to  begin  the  necessary  technical  work 
before  next  April.  (And  keep  in  mind  that 
there’s  no  such  thing  as  HIPAA-compliant 
technology,  although  vendors  would  dearly 
love  to  convince  you  otherwise.  Only  an 
organization  can  be  HIPAA-compliant.) 

Plenty  of  CIOs  have  been  working  on 
security  for  a  long  time.  At  M.D.  Anderson, 
for  example,  Wagner  was  hired  in  July  2000 
in  part  to  begin  HIPAA  compliance  work. 
Rather  than  wait  for  the  final  Security  Rule, 
he  initiated  M.D.  Anderson’s  gap  analysis  in 
the  fall  of  2000  and  has  been,  as  he  puts  it, 
shoring  up  the  castle  walls  around  the  whole 
organization  ever  since.  He  estimates  that  as 
of  April  he  was  60  percent  to  70  percent 
along  in  his  technology  road  map — a  list  of 
30  to  40  projects  identified  by  the  gap  analy¬ 
sis  as  necessary  to  comply  with  HIPAA. 

For  example,  Wagner  is  working  on  a  sin¬ 
gle  sign-on  system  that  will  relieve  users  of 
having  to  remember  multiple  passwords  to 
log  in  to  as  many  as  40  applications.  He’s 
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...before  you 
get  left  behind 
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distribution,  racks,  cabling,  cable  distribution, 
cooling,  and  cooling  distribution.  Strong  NCPI 
defends  your  IT  networks  against  security 
and  availability  problems. 
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it  is  required. 
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planning  to  use  fingerprint  biometrics 
instead  of  smart  cards,  since  the  latter  can  be 
easily  stolen  or  shared.  A  doctor  will  be  able 
to  walk  up  to  a  clinical  workstation  (many 
of  which  are  used  by  up  to  40  people  a  day), 
type  in  her  ID  and  place  a  thumb  on  the 
reader,  which  will  authenticate  her  and  give 
her  access  to  all  applications  she  is  author¬ 
ized  to  use.  (An  automatic  time-out  function 
will  log  users  off  after  they  walk  away  from 
the  screen.)  Since  doctors  and  nurses  are 
always  washing  their  hands  and  have  pow¬ 
dery  fingers  from  using  gloves,  Wagner  is 
considering  only  capacitance  readers  that 
use  small  electric  charges  to  verify  the  sub- 
dermal  fingerprint.  Capacitance  readers  are 
also  more  secure  than  optical  readers,  which 
can  be  fooled  with  an  image  or  an  imprint  in 
silly  putty  or  a  gel  pack. 

At  North  Florida  Medical  Centers,  a 
nonprofit  network  of  nine  satellite  clinics, 
MIS  Director  Lynn  Sims  is  also  turning  to 

cio.com  For  more  on  how  hospitals  use 
technology  to  comply  with  HIPAA  and  links  to  a 
summary  of  the  Security  Rule  and  other  HIPAA 
resources,  go  to  this  article,  EIGHT  (NOT  SO) 
SIMPLE  STEPS  TO  THE  HIPAA  FINISH  LINE, 
online.  Goto  www.cio. com/070103. 


biometrics.  But  he  has  already  ruled  out 
fingerprint  recognition.  First,  there  was  the 
hassle  factor  of  requiring  doctors  and 
nurses  to  remove  their  exam  gloves  to  log 
on.  And  then  there  was  the  lotion  prob¬ 
lem.  “In  the  winter,  it  gets  really  dry  here,” 
says  Sims.  “The  ladies  use  quite  a  bit  of 
hand  cream  to  keep  their  hands  moist  and 
soft.”  A  test  revealed  that  the  lotion  was 
building  up  on  the  scanners,  necessitating 
frequent  cleaning  with  alcohol  swabs.  So 
Sims  turned  to  retinal  scanning  and  is  now 
rolling  out  an  iris  scanning  and  proximity 
sensor  system,  which  automatically  logs 
users  off  when  they  walk  away  from  a 
workstation.  He  paid  roughly  $250  per  iris 
scanner  and  about  $100  per  proximity 
sensor,  and  also  invested  in  privacy  screens 
(about  $90  each),  which  make  text  look 
blurred  for  anyone  not  directly  in  front  of 
the  monitor. 

Kahn  at  St.  Peter’s  Health  Care  is  using 
digital  fobs — tiny  portable  devices  from  RSA 
Security  that  display  a  new  code  every 
60  seconds — to  protect  patient  data  travel¬ 
ing  over  the  Internet.  To  gain  access  to  the 
hospital’s  network  through  a  Web  portal,  a 
doctor  must  enter  the  six-digit  code  on  his 
key  fob,  then  type  in  his  four-digit  PIN. 


After  taking  a  careful  look  at  the  risks  and 
costs  of  security  compliance,  Bert  Reese, 
CIO  of  Sentara  Healthcare,  decided  to  back 
up  only  his  five  most  critical  systems.  But 
he  has  documented  how  to  recover  all  of  his 
systems  in  the  event  of  a  natural  disaster. 


Then  he  can  log  in  to  a  specific  application 
to  access,  say,  a  patient’s  lab  results  or  billing 
data.  “It’s  an  extra  layer  above  signing  on 
with  an  ID  and  password,”  says  Kahn. 

Although  encryption  of  data  is  not 
required  by  HIPAA,  most  health-care  organ¬ 
izations  would  be  smart  to  invest  the  rela¬ 
tively  nominal  sum  needed  to  encrypt  any 
patient  data  transmitted  outside  the  institu¬ 
tion.  “I  refused  to  put  a  wireless  network  out 
until  my  team  assured  me  that  it  was 
encrypted,”  says  Carilion’s  Walton. 


8  Don’t  Think 

.  You’re  Done _ 

After  the  2005  deadline,  John 
Quinn,  principal  in  Cap  Gem¬ 
ini  Ernst  &  Young’s  health  consulting  prac¬ 
tice,  recommends  keeping  an  eye  out  for 
several  months  to  see  what  happens  with 
enforcement.  “On  April  22,  2005,  no  red 
flag  will  go  up  on  your  building  because  you 
didn’t  do  the  work,”  Quinn  says.  But  if 
another  organization  gets  in  trouble  for 
doing  something  similar  to  what  you’ve 
done,  revamp  your  program  accordingly. 
Like  it  or  not,  FIIPAA  is  an  ongoing  process. 
The  law  requires  you  to  periodically  reassess 
security  and  make  sure  you  stay  vigilant. 
And  for  good  reason.  As  new  technologies 
are  introduced,  so  are  new  vulnerabilities. 

“With  security,  there’s  not  an  insurance 
policy  you  can  buy  once  a  year  and  say,  I’m 
covered.  It’s  something  you  really  need  to 
review  every  week,”  says  Dr.  Dick  Gibson, 
chief  medical  information  officer  of  Provi¬ 
dence  Health  System  in  Oregon.  Y2K  was 
over  on  Jan.  1,  2000.  But  with  HIPAA,  the 
fat  lady  never  sings.  HE! 


Share  your  HIPAA  war  stories  with  Senior  Editor 
Alice  Dragoon  at  adragoon@cio.com. 
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Why  You  Need  a 

Project  Management  Office 


Companies  seeking  more  efficiency  and  tighter  monitoring  of  IT 
projects  are  opening  project  management  offices  in  growing  numbers. 
But  don’t  expect  a  quick  fix,  easy  metrics  or  an  immediate  payback. 

BY  MEGAN  SANTOSUS 


For  years,  IT  departments  have  struggled  to  deliver 
projects  on  time  and  within  budget.  But  with  today’s 
emphasis  on  getting  more  bang  for  the  buck,  IT  has 
to  rein  in  projects  more  closely  than  ever.  That  chal¬ 
lenge  has  led  many  to  turn  to  project  management  offices 
(PMOs)  as  a  way  to  boost  IT  efficiency,  cut  costs,  and 
improve  on  project  delivery  in  terms  of  time  and  budget. 

While  not  a  new  solution,  the  trend  toward  implementing 
PMOs  to  instill  much-needed  project  management  disci¬ 
pline  in  IT  departments  is  spreading  fast.  "More  people 
lately  have  been  talking  to  me  about  PMOs 
than  they  have  in  the  last  10  years,”  says  Don 
Christian,  a  partner  at  Pricewaterhouse- 
Coopers.  PMOs  can  help  CIOs  by  providing 
the  structure  needed  to  both  standardize 
project  management  practices  and  facilitate 
IT  project  portfolio  management,  as  well  as 
determine  methodologies  for  repeatable 
processes.  The  Sarbanes-Oxley  Act— which 
requires  companies  to  disclose  investments, 


such  as  large  projects,  that  may  affect  a  company’s  operat¬ 
ing  performance— is  also  a  driver,  since  it  forces  companies 
to  keep  closer  watch  on  project  expenses  and  progress. 
W.W.  Grainger,  an  industrial  products  distributor,  has  a  PMO 
that  "enables  us  to  complete  more  projects  on  time  and  on 
budget  with  fewer  resources,”  says  Tim  Ferrarell,  senior  vice 
president  of  enterprise  systems. 

But  PMOs  are  no  panacea  for  project  challenges,  including 
battling  today’s  tepid  business  climate.  For  one  thing,  there  is 
no  uniform  recipe  for  success— it’s  important  that  the  PMO 
structure  closely  hews  to  a  company’s  corpo¬ 
rate  culture.  PMOs  also  won’t  give  organi¬ 
zations  a  quick  fix  or  deliver  immediate, 
quantifiable  savings.  And  companies  with 
PMOs  report  that  they  don’t  necessarily  yield 
easy  to  use  cost-saving  benchmarks  and  per¬ 
formance  metrics.  In  a  survey  conducted  by 
CIO  and  the  Project  Management  Institute 
(PMI),  74  percent  of  respondents  said  that 
lower  cost  was  not  a  benefit  of  their  PMOs. 


Reader  ROI 

►  Why  companies  are 
turningto  PMOs 

►  How  your  peers 
are  using  PMOs 

►  The  challenges  of 
measuring  PMO 
effectiveness 


What  a  PMO  Does  Duringthe  life  cycle  of  a  project,  a  PMO  can  instill 

project  management  discipline  and  align  it  with  a  company’s  overall  strategic  goals 


Generate  Concept 


Plan  Resources _  Launch  Project 


Provide  Ongoing 

Project  Management  Complete  Project 


•  Prioritize  project  in 
terms  of  an  organiza¬ 
tion’s  overall  gover¬ 
nance,  project 
portfolio  processes 

•  Assist  project  leaders 
with  business  case 
development 

•  Ensure  the  project 
links  to  a  company’s 
strategic  goals 


•  Add  project  to  the 
project  management 
or  portfolio  system 


•  Provide  coaching 
and  mentoring  to 
project  managers 


Assign  staff  and  re¬ 
sources  to  the  project 

Lay  out  governance 
standards,  including 
repeatable  project 
processes,  training 
and  metrics 


Begin  to  facilitate 
ongoing  project 
planning  sessions 

Ensure  proper 
tracking  of  project 
data  and  mile¬ 
stones 


•  Ensure  regular  proj¬ 
ect  status  reports 
are  available  to 
decision-makers 


•  Coordinate  com- 

)  munications  across 
business  units 

•  Conduct  regular 
quality  assurance 
reviews 


•  Lead  post-imple¬ 
mentation  reviews 

•  Capture  and  record 
lessons  learned 

•  Ensure  that  project 
data  and  project 
team  evaluations 
are  recorded  and 
distributed  to 
decision-makers 


SOURCE:  BILL  STEWART  OF  THE  PROJECT  MANAGEMENT  LEADERSHIP  GROUP 
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PMOs:The  Longer  You  Have  Them, 

The  BetterTheyWork 

TheC/O/PMI  survey  showed  PMOagehasan  increasing  effect  on  project  success 
improvement.  At  the  same  time,  the  percent  of  respondents  not  tracking  project  success 
rates  decreased— two  signs  that  PMOs  help  instill  project  discipline. 


Success  Increases... 


1  year  2  years  3  years  4  years  5  years 

SOURCE:  CIO/ PMI  SURVEY  (AVAILABLE  ONLINE  AT  WWW2 

However,  survey  respondents  still 
reported  positive  benefits  from  the  forma¬ 
tion  of  a  PMO,  even  if  quantifiable  ROI  is 
elusive.  Out  of  450  people  surveyed,  303,  or 
67  percent,  said  their  companies  have  a 
PMO.  Of  those  with  a  PMO,  half  said  the 
PMO  has  improved  project  success  rates, 
while  22  percent  didn’t  know  or  don’t  track 
that  metric,  and  16  percent  said  success  rates 
stayed  the  same.  There  is  also  a  strong  link 


...While  Ignorance  Decreases 


. CIO.COM/RESEARCH ) 

between  the  length  of  time  a  PMO  has  been 
operating  and  project  success  rates:  The 
longer  the  better.  While  37  percent  of  those 
who  have  had  a  PMO  for  less  than  one  year 
reported  increased  success  rates,  those  with 
a  PMO  operating  for  more  than  four  years 
reported  a  65  percent  success  rate  increase. 
The  top  two  reasons  for  establishing  a 
PMO,  according  to  the  survey:  improving 
project  success  rates  and  implementing  stan¬ 
dard  practices.  In  a  finding  that  indicates 
PMOs’  importance,  a  survey-leading  39  per¬ 
cent  of  respondents  said  the  PMO  is  a  strate¬ 
gic  entity  employed  at  the  corporate  level, 
meaning  it  sets  project  standards  across 
the  enterprise  and  is  supported  by  upper 
managers. 

There  are  two  basic  models  of  PMOs:  one 
that  acts  in  a  consulting  capacity,  providing 
project  managers  in  business  units  with  train¬ 
ing,  guidance  and  best  practices;  and  a  cen¬ 
tralized  version,  with  project  managers  on 

John  Owen,  COO  of  Assurant  Group 
(formerly  the  CIO),  says  the  PMO  maintains 
consistent  project  management  processes 
across  the  organization,  minimizing  failures. 


cio.com  For  complete  results  from 
the  CIO/ PMI  survey  on  effectiveness  and 
best  practices  of  PMOs,  go  online  at 
www2.cio.com/research. 

staff  who  are  loaned  out  to  business  units  to 
work  on  projects.  How  a  PMO  is  organized 
and  staffed  depends  on  a  myriad  of  organi¬ 
zational  factors,  including  targeted  goals,  tra¬ 
ditional  strengths  and  cultural  imperatives. 
When  deployed  in  line  with  an  organization’s 
culture,  PMOs  will  help  CIOs  deliver  strate¬ 
gic  IT  projects  that  satisfy  both  the  CFO  and 
internal  customers.  Over  time — and  CIOs 
should  allow  three  years  to  derive  benefits — 
PMOs  can  save  organizations  money  by 
enabling  better  resource  management,  reduc¬ 
ing  project  failures  and  supporting  those 
projects  that  offer  the  biggest  payback. 

What  a  PMO  Can  Do 

At  transportation  company  Schneider 
National,  a  PMO  provides  the  foundation 
for  eventually  doing  portfolio  management, 
according  to  Mark  Mullins,  vice  president 
of  finance  for  IT.  And  at  Oregon  Health  & 
Science  University  (OHSU),  CIO  John 
Kenagy  launched  a  PMO  to  help  his  350- 
member  IT  department  improve  its  project 
management  acumen.  “Doing  a  large  proj¬ 
ect  takes  a  village  of  people,  and  we  don’t 
want  to  approach  each  project  as  if  starting 
from  scratch,”  Kenagy  says. 

But  while  PMOs  vary  in  terms  of  size, 
structure  and  responsibilities,  Curtis  Cook, 
president  and  CEO  of  consulting  company 
Novations  Project  Management  in  Atlanta, 
says  CIOs  can  expect  PMOs  to  function  in 
the  following  seven  areas. 

•  Project  support:  Provide  project  manage¬ 
ment  guidance  to  project  managers  in  busi¬ 
ness  units. 

•  Project  management  process/method¬ 
ology:  Develop  and  implement  a  consistent 
and  standardized  process. 

•  Training:  Conduct  training  programs  or 
collect  requirements  for  an  outside  company. 

•  Home  for  project  managers:  Maintain  a 
centralized  office  from  which  project  man- 
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What  does  it  take  to  turn  an  obstacle  into  a  benchmark 
victory?  Most  executives  answer  "Vision." 

A  powerful  enterprise  project  management 
solution  can  deliver  dashboard  visibility  into 
all  of  your  projects:  giving  you  the  power  and 
the  wisdom  to  align  projects  with  business 
strategy  and  mitigate  risk. 
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agers  are  loaned  out  to  work  on  projects. 

•  Internal  consulting  and  mentoring: 

Advise  employees  about  best  practices. 

•  Project  management  software  tools: 

Select  and  maintain  project  management 
tools  for  use  by  employees. 

•  Portfolio  management:  Establish  a  staff 
of  program  managers  who  can  manage  mul¬ 
tiple  projects  that  are  related,  such  as  infra¬ 
structure  technologies,  desktop  applications 
and  so  on,  and  allocate  resources  accordingly. 

Notice  that  Cook  doesn’t  mention  cost 
savings.  While  companies  entertain  a  variety 
of  factors  for  starting  a  PMO,  most  propo¬ 
nents  agree  that  cutting  IT  costs  or  reduc¬ 
ing  the  number  of  projects  by  a  set  amount 
should  not  be  among  them.  PMOs  can  cer¬ 
tainly  lead  to  reduced  expenses  and  fewer 
projects,  but  the  first  motive  for  creating  a 
PMO  is  to  deliver  strategic  IT  projects  with 
more  consistency  and  efficiency.  At  Sun 
Life  Financial’s  American  subsidiary,  CIO 
Jim  Smith  says  his  company’s  PMO  was 
launched  five  years  ago  primarily  “to  imple¬ 
ment  the  kind  of  discipline  and  project  man¬ 
agement  processes  required  by  the  Y2K 
crisis.”  The  PMO  relies  on  three  metrics  to 
determine  its  effectiveness:  accuracy  of  cost 
estimates,  accuracy  of  schedule  estimates 
and  project  stakeholder  satisfaction.  By  all 
measures,  it  is  a  success;  from  2001  to  2002, 
those  metrics  improved  25  percent,  31  per¬ 
cent  and  9  percent,  respectively. 

Darrel  Raynor,  managing  director  at  proj¬ 
ect  management  company  Data  Analysis  & 
Results,  says  PMOs  that  take  on  responsi¬ 
bility  for  resource  allocation  can  improve 
employee  productivity.  “By  having  oversight 
to  all  projects  and  personnel,  a  PMO  can 
assign  the  best  people  to  priority  projects  and 
keep  their  attention  focused  on  that  project,” 
he  says.  Multitasking  on  several  IT  projects 
doesn’t  work,  Raynor  says,  adding  that  pro¬ 
ductivity  drops  every  time  an  employee 
switches  from  one  task  to  another.  By  elimi¬ 
nating  multiple  assignments,  PMOs  can 
boost  productivity  while  ensuring  that  pri¬ 
ority  projects  get  the  most  attention.  That’s 
the  case  at  Grainger.  “We  have  about  400 
people  in  a  centralized  IT  department,  and 


Top  ways  that 
PMOs  make  a 
financial  impact 

•  Provide  standard  methodology  for 
managing  projects 

•  Have  responsibility  for  process  and 
project  reporting  and  tracking 

•  Ensure  that  similar  projects  are 
executed  in  a  similar  way 

•  Have  the  information  needed  to 
speed  up  or  slow  down  a  process 

•  Provide  a  process  for  resource 
allocation  and  capacity 
management 

•  Ensure  that  projects  have  direct 
links  to  company's  strategic  and 
operating  plans 

Top  ways  that 
PMOs  make  a 
strategic  impact 

•  Link  projects  directly  to  company’s 
strategic  and  operating  plans 

•  Provide  standard  methodology  for 
managing  projects 

•  Have  sponsorship/support  from 
senior  management 

•  Ensure  that  projects  support  a 
business  goal  or  strategy 

•  Align  groups  on  project  process, 
selection,  priority  and  execution 

•  Ensure  that  similar  projects  are 
executed  in  a  similar  way 

SOURCE:  CIO/ PMI  SURVEY 


one  of  the  key  benefits  is  that  we’re  allocat¬ 
ing  the  majority  of  our  resources  to  the  high¬ 
est  priority  projects,”  says  Ferrarell. 

PMOs  can  nevertheless  deliver  a  return  in 
three  to  six  months  by  providing  the  visibil¬ 
ity  needed  to  cancel,  postpone,  or  scale  back 
unnecessary  or  less  strategic  projects,  says 
Raynor.  At  diversified  technology  services 
company  Schlumberger,  Project  Office  Man¬ 
ager  Vincent  de  Montmollin  says  the  PMO 
saved  more  than  $3  million  by  reducing  the 
number  of  small  projects  from  233  to  13. 


It’s  Hard  to 
Measure  Success 

But  Schlumberger’s  results  aren’t  typical.  For 
survey  respondents,  improving  project  suc¬ 
cess  rates  is  a  top  goal,  yet  getting  metrics 
that  prove  that  PMOs  are  working  takes 
time.  In  the  C/O/PMI  survey,  42  percent  of 
companies  with  PMOs  less  than  1  year  old 
didn’t  know  or  do  not  track  success  rates. 
Only  22  percent  of  companies  with  PMOs 
older  than  five  years  said  the  same.  It’s  inher¬ 
ently  difficult  to  pinpoint  project  success 
rates  for  PMOs  less  than  3  years  old  simply 
because  there’s  no  track  record  of  completed 
projects.  Even  if  CIOs  can  determine  cost 
savings  or  success  rates,  benchmarking 
results  against  other  organizations  isn’t  a 
reliable  gauge  of  progress  because  so  many 
variables  factor  into  the  success  of  a  PMO. 
“To  justify  the  existence  of  a  PMO,  compa¬ 
nies  can  build  a  business  case  with  relative 
ease,”  says  Robert  Handler,  vice  president 
of  Meta  Group’s  enterprise  planning  and 
architecture  strategy  service.  “Yet  people 
want  a  good  quantitative  number,  and  it’s 
difficult  to  have  that  silver-bullet  ROI  that’s 
applicable  in  all  cases.”  For  Schlumberger’s 
de  Montmollin,  the  biggest  benefit  of  the 
PMO — giving  the  CIO  the  status  and  finan¬ 
cial  details  of  all  the  company’s  IT  projects — 
isn’t  something  he  can  quantify. 

One  relatively  quick  metric  to  come  by  is 
customer  satisfaction  among  internal  end 
users.  Burlington  Northern  Santa  Fe  Railway 
(BNSF)  scores  customer  satisfaction  numbers 
on  completed  projects  and  tracks  ongoing 
activities  quarterly.  Since  the  PMO  was  insti¬ 
tuted,  these  customer  satisfaction  scores  have 
been  consistently  improving.  Jeff  McIntyre, 
BNSF’s  assistant  vice  president  of  technology 
services,  says  the  company  is  struggling  with 
other  metrics  that  could  peg  project  improve¬ 
ments  directly  to  the  PMO.  “No  two  proj¬ 
ects  are  alike,  so  it’s  difficult  to  do  compar¬ 
isons,”  he  says.  In  addition,  BNSF  sent  about 
40  percent  of  its  development  work  offshore, 
so  it’s  hard  to  attribute  specific  results  solely 
to  the  PMO,  says  McIntyre.  Yet  BNSF  is 
pursuing  harder  metrics;  technology  services 
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is  working  on  a  Balanced  Scorecard  that  will 
try  to  nail  down  measurements  during  the 
next  year  that  paint  an  accurate  picture  of 


the  PMO’s  effect  on  the  bottom  line  as  well 
as  on  processes  and  learning. 

To  create  a  PMO  that  is  a  good  cultural 
fit,  Handler  and  others  recommend  start¬ 
ing  out  with  well-defined  pilot  projects  that 
rely  heavily  on  input  from  project  managers 
in  the  business  units.  At  OHSU,  Project 
Management  Officer  John  Kocon  concurs. 
“You  have  to  really  understand  the  culture, 
look  at  industry  standards  and  best  prac¬ 
tices,  and  tailor  them  to  the  organization,” 
he  says.  “There’s  some  give  and  take  with 
project  stakeholders  who  may  resist  doing 
things  in  a  prescribed  way.” 

To  overcome  such  resistance,  Kocon 
enlists  support  among  senior  managers. 
Others  involved  with  PMOs  say  that  senior 
management  must  be  involved — either  in 
terms  of  sponsorship  or  a  direct  reporting 
relationship — if  PMOs  are  to  be  effective. 

The  Lines  of  Authority 

To  improve  the  chances  of  delivering  quan¬ 
tifiable  results,  CIOs  might  be  tempted  to 
create  strict  PMOs  that  wield  unwavering 
power  over  project  management.  People 
who  have  experience  with  PMOs  caution 
against  the  tendency  to  create  an  entity  that 
is  primarily  administrative,  with  roles  cen¬ 
tered  around  either  approving  and  rejecting 
projects,  or  auditing  projects  for  compliance 

Michael  Williams,  CIO  for  The  New  York  Times 
Co.,  and  Janet  Burns,  project  management 
director,  say  the  company’s  PMO  evolved  from 
a  ruthlessly  centralized  one  to  one  that  adapted 
to  the  organization’s  collaborative  culture. 


to  processes  and  metrics.  “A  PMO  has  to 
be  instituted  in  a  way  that  doesn’t  fly  in  the 
face  of  the  culture,”  says  Handler.  A  PMO 


that  is  too  bureaucratic  or  rigid  in  terms  of 
time  tracking  and  the  use  of  project  man¬ 
agement  tools  may  reek  of  Big  Brother.  At 
The  New  York  Times  Co.,  a  PMO  founded 


to  tackle  IT  issues  surrounding  Y2K  was  dis¬ 
banded  in  January  2000  once  it  completed 
its  mission.  In  mid-2000,  the  publishing 
company  launched  a  virtual  PMO  with  a 
decidedly  different  approach.  The  first  PMO 
was  “centralized  with  an  iron  fist,”  says  Vice 
President  and  CIO  Michael  Williams. 
“Every  task  was  reported,  which  was  fine 
for  that  exercise,  but  it  really  wouldn’t  work 
in  our  culture.  After  Y2K,  we  adapted  a  new 
PMO  to  our  collaborative  culture.”  The  cur¬ 
rent  virtual  PMO  offers  project  management 
guidelines  via  an  intranet. 

The  history  of  the  PMO  at  The  New  York 
Times  demonstrates  how  important  it  is  to 
decide  up  front  what  kind  of  PMO  best  suits 
your  organization,  whether  consultative  or 


To  create  a  PMO  that  is  a 
good  cultural  fit,  sta  rt  out  with 
well-defined  pilot  projects. 
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Howto  Start  a 

Project  Management  Office 

It’s  important  to  analyze  your  IT  needs  before  setting  up  a  PMO 

WHETHER  TO  FORM  a  project  management  office  (PMO)  with  a  consulting  bent  or 
one  that’s  centralized  depends  entirely  on  the  track  record  of  your  IT  department  and 
where  you  want  it  to  go.  "The  PMO  shouldn’t  exist  within  itself,"  says  Gary  Davenport, 
vice  president  of  information  services  at  Hudson's  Bay  Co.  "You  have  to  look  at  the 
overall  IT  operations  first,  determine  what  you  want  to  accomplish  and  why,  and  fig¬ 
ure  out  what  improvements  you  need  to  make  to  achieve  the  company’s  strategy.” 

Bill  Stewart,  CEO  of  the  Project  Management  Leadership  Group,  a  project  man¬ 
agement  training  company  in  Atlanta,  says  that  CIOs  should  ask  themselves  ques¬ 
tions  aimed  at  ferreting  out  both  IT  weaknesses  and  opportunities:  Where  do  you 
want  your  IT  department  to  be  one  year  from  now?  How  can  IS  contribute  most  to 
the  organization— by  helping  to  increase  profits  or  by  delivering  projects  on  time?  If 
IS  could  manage  projects  consistently,  how  would  that  affect  the  organization?  How 
CIOs  answer  such  questions  determines  which  basic  model  of  PMO  will  work  best. 

Explore  whether  there  are  critical  activities  at  your  organization  that  are  falling 
through  the  cracks,  and  decide  if  a  PMO  is  the  appropriate  entity  to  take  them  on. 
Due  to  budget  restrictions,  Schneider  National  nixed  its  PMO  in  November  2001. 
But  remnants  of  a  Balanced  Scorecard  approach  used  by  the  PMO  lived  on.  Mark 
Mullins,  Schneider  National’s  vice  president  of  finance  for  IT,  says  the  new 
arrangement  was  less  effective  than  the  PMO.  Yet  two  large  and  impending  IT  proj¬ 
ects  prompted  the  CEO  and  CIO  to  resurrect  a  centralized  PMO  in  January  2003. 
"Several  important  things— including  standardizing  process  to  use  consistently 
across  projects  and  establishing  a  groundwork  for  portfolio  management— weren’t 
getting  done,”  says  Mullins.  -M.S. 


centralized  (see  “How  to  Start  a  Project  Man¬ 
agement  Office,”  this  page).  Raynor  of  Data 
Analysis  &  Results  says  the  consulting 
model — where  the  PMO  provides  ongoing 
support  for  project  managers  in  business 


John  Kocon,  project  management 
officer  at  OHSU,  has  advice  about 
matching  the  PMO  to  the  organi¬ 
zation.  Have  other  questions 
about  setting  up  an  effective 


PMO?  Through  July  15,  ASK  YOUR 
QUESTIONS  ON  PMO  at  ASK  THE 
SOURCE.  Find  the  page  at  www.cio.com/ask. 


units — works  well  for  organizations  seeking 
either  small  gains  in  efficiency,  minimal  startup 
risks  or  both.  “The  consulting  model  fits  into 
an  organization’s  continuous  improvement 
plans,”  he  says.  At  The  New  York  Times, 
Project  Management  Director  Janet  Bums  is 
the  sole  full-time  employee  of  the  project  man¬ 
agement  office;  her  role  is  to  provide  project 
managers  with  all  the  information  they 
need  to  run  a  project  without  contacting  her 
personally. 

That’s  the  case  at  OHSU,  where  the 
PMO’s  role  as  a  facilitator  lends  itself  to 
incremental  improvements.  “We’re  not  look¬ 
ing  for  dramatic  changes  because  they  take 
too  long,”  says  Kocon. 


The  centralized  approach,  typically 
marked  by  hands-on  control  over  projects,  is 
most  effective  at  organizations  where  the 
PMO  regularly  interacts  with  senior  execu¬ 
tives  and  has  the  power  to  cancel  and  prior¬ 
itize  projects.  At  risk  management  company 
Assurant  Group,  20  project  managers  work 
in  the  PMO  under  the  ultimate  direction  of 
former  CIO  John  Owen  (who  is  now  the 
COO).  Using  well-defined  software  devel¬ 
opment  and  project  management  method¬ 
ologies,  the  PMO  works  with  business  units 
on  every  aspect  of  project  management — 
from  defining  initial  requirements  to  post¬ 
implementation  audits.  Maintaining  con¬ 
sistent  processes  across  the  organization 
enables  Owen  to  break  down  projects  into 
manageable  components  and  thereby  mini¬ 
mize  failures.  Centralized  PMOs  have  a 
higher  risk  but  also  promise  bigger  benefits. 
In  four  years,  Assurant’s  PMO  has  resulted 
in  a  97  percent  success  rate  based  on  projects 
meeting  schedules  and  budgets. 

Responsibilities  of  PMOs  range  widely, 
from  providing  a  clearinghouse  of  project 
management  best  practices  to  conducting 
formal  portfolio  management  reviews.  A 
PMO’s  oversight  need  not  be  limited  to  proj¬ 
ect  development  or  even  IT.  At  Burlington 
Resources,  a  Houston-based  oil  and  gas 
company,  Vice  President  and  CIO  Rick  Diaz 
gave  the  PMO  responsibility  for  coordinat¬ 
ing  and  tracking  both  projects  and  services. 
The  PMO  monitors  IT’s  performance  on 
service-level  agreements.  “This  is  unusual, 
but  it  gives  me  a  single  point  of  control  and 
coordination  that  works  for  us,”  Diaz  says. 

Coming  up  with  a  PMO  that  works  for 
any  given  organization  is  an  exercise  in 
both  customization  and  patience.  When  it 
comes  to  establishing  a  PMO,  there  are  no 
road  maps  to  follow,  benchmarks  to  shoot 
for  or  metrics  against  which  to  measure. 
The  most  effective  PMOs  are  those  that 
reap  improvements  over  time  and  continu¬ 
ously  push  the  IT  department  to  improve 
on  its  performance.  QE1 


You  can  tell  Senior  Editor  Megan  Santosus  about 
your  PMO  experiences  at  santosus@cio.com. 
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This  little  book  is  free. 

It  could  save  you  millions. 

Outsourcing  is  a  big  deal.  How  you  structure  your  outsourcing  agreement 
will  determine  its  success  or  failure.  But  doing  it  right  isn’t  easy.  This  little 
book  from  Gartner  tells  you  how  to  build  a  durable  deal  that  could  save 
you  a  lot  of  time  and  money. 

The  cost  is  zero.  Not  a  bad  deal. 


For  your  free  copy  and  to  learn  more  about  outsourcing, 
just  call  +1  203  316  1111  or  go  to  gartner.com/outsourcing. 
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Want  to  cut  your  IT  costs  without  sacrificing 
performance?  PRIMEPOWER  Servers  from  Fujitsu. 

UThe  secret  is  out.  PRIMEPOWER™  Solaris™- compatible 
servers  from  Fujitsu®  deliver  a  major  breakthrough  in 
price/performance  compared  to  our  more  famous 
competition.  Want  proof?  PRIMEPOWER  servers  offer 
such  an  advantage  that  the  world’s  leading  com¬ 
panies  use  them  to  boost  their  performance.  And  there’s  a 
PRIMEPOWER  server  that’s  right  for  any  application  you  need  — 
from  single  CPU,  rack-mounted  servers  to  enterprise-ready 
systems  that  scale  to  128  CPUs  for  unsurpassed  performance 
in  the  data  center. 

Of  course,  it’s  not  just  the  hardware  you’re  buying.  It’s  also 
Fujitsu’s  30+  years  of  experience  supporting  high-perform¬ 
ance,  mission-critical  systems.  We’ve  already  helped  many 
companies  consolidate  their  IT  infrastructures  and  lower  their 
Total  Cost  of  Ownership.  Our  free  white  paper,  The  Why  and 
How  of  Server  Consolidation,  explains  how.  Get  your  copy  at 
www.ftsi.fujitsu.com/ad.  Or  call  (877)  905-3644. 
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Investment  management 
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INTEGRATION  PROBLEM 

Eliminate  channel  disparity, 
streamline  back-office  processes 
and  consolidate  disparate  customer 
databases 


All  for 
One  View 

By  having  its  employees  use  the  same  Web  interface  as  its 
customers,  Vanguard  saved  itself  time,  money  and  the  hassles 
that  arose  from  a  classic  case  of  channel  inequality 

BY  ALICE  DRAGOON 


THE  PLAYERS 

JACK  BRENNAN 

Chairman  and  CEO 

TIM  BUCKLEY 

Managing  Director  of  Information 
Technology 

JEFF  DOWDS 

Principal  of  Vanguard  Direct  Investor 
Systems  and  Integration  Project 
Lead 


CASE  ANALYST 

WILLIAM  IVES 

Lead,  Knowledge  Management 
and  Portals  Practice 
Accenture 


MORE  THAN  10  YEARS  AGO,  Jack  Brennan, 
with  his  CIO  by  his  side,  told  the  assembled 
ranks  at  The  Vanguard  Group  that  there  was 
no  such  thing  as  IT  and  business — just  business. 
On  Brennan’s  watch  as  chairman  and  CEO  of 
Vanguard,  IT  and  business  have  joined  forces 
on  a  massive  integration  project  that’s  replacing 
disparate,  siloed  systems  and  databases  with  a 
single  Web  portal  supported  by  an  enterprise 
database.  Enabled  by  disarmingly  simple  tech¬ 
nology,  this  project  is  driven  purely  by  a  busi¬ 
ness  need  to  give  customers  seamless  service, 
regardless  of  channel. 

Virtual  from  the  onset,  Vanguard  has  always 
plied  its  wares — mutual  funds,  annuities,  401(k)s 
and  the  like — and  served  its  customers  by  phone 
and  by  mail  instead  of  face-to-face.  When  the 
Web  came  along,  the  decision  to  do  business 
online  was  a  no-brainer.  By  1998,  customers 


were  using  Vanguard.com  to  open  new  accounts, 
purchase  and  redeem  fund  shares,  and  receive 
electronic  statements.  The  Valley  Forge,  Pa.- 
based  company  continued  to  invest  heavily  in  its 
website  as  many  of  its  high-value  clients  migrated 
to  the  Web  to  manage  their  portfolios.  It  was  a 
wise  investment.  Today,  Vanguard’s  Web  cus¬ 
tomers  tend  to  invest  150  percent  more  and  turn 
over  less  frequently  than  non-Web  customers, 
while  the  cost  to  serve  them  online  is  just  5  per¬ 
cent  of  what  it  costs  when  a  human  is  involved. 
However,  Vanguard  did  so  well  designing  top- 
notch  Web  tools  that  it  soon  outstripped  the  sys¬ 
tems  used  by  its  employees  (or  crew  members,  as 
the  company  calls  them).  Vanguard  had  itself  a 
classic  case  of  channel  disparity. 

When  customers  with  online  accounts  called 
Vanguard’s  toll-free  number  for  help  in  the  late 
1990s,  they  spoke  with  employees  who  were 
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EXPERT  ANALYSIS 


THE  GIFT  THAT  KEEPS 
ON  GIVING 


BY  WILLIAM  IVES 


WHILE  USING  THE  SAME  PLATFORM  for  customers  and 
customer  service  reps  seems  obvious,  this  investment 
required  courage  on  the  part  of  Vanguard’s  management. 

This  courage  and  the  resulting  outcome  is  a  differentiator 
in  today’s  demanding  economic  environment.  The  organi¬ 
zation  had  to  have  complete  confidence  in  its  software 
engineering  principles.  The  road  is  littered  with  value- 
added  programs  that  have  failed  due  to  an  organization’s 
inability  to  deliver.  Vanguard  displayed  the  level  of  busi¬ 
ness  and  IT  integration  and  perseverance  required  to 
sustain  this  program,  and  successfully  navigated  the 
conflicting  priorities  and  strategic  challenges  inherent  in 
complex  transformational  journeys. 

Throughout  this  effort,  Vanguard  demonstrated  leadership  in  managing  its  own 
application  portfolio  for  the  benefit  of  its  clients.  Vanguard  maintained  its  principles 
with  straightforward,  basic  approaches  and  executed  simple  concepts  resulting  in 
service  excellence  and  cost  reduction  advantages. 

The  real  beauty  of  this  investment  is  that  it  is  truly  “the  gift  that  keeps  on  giving." 
Unlike  other  technology  investments  that  initially  provide  value  then  lose  their  luster, 
Vanguard  has  created  a  tiered  systems  architecture  that  will  continue  to  provide  cost 
savings  and  promote  customer  service  excellence  well  into  the  future. 


William  Ives  isthe  lead 
for  the  knowledge 
management  and 
portals  practice  at 
Accenture.  He  can  be 
reached  ats.william.ives 
@accenture.com. 
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relying  on  13  old,  siloed  client/server  systems. 
Those  systems  had  been  built  to  serve  differ¬ 
ent  lines  of  business  and  therefore  didn’t  inter¬ 
operate.  Customer  service  employees  had  to 
toggle  among  as  many  as  10  different  sys¬ 
tems  to  answer  customer  inquiries  01;  worse, 
transfer  callers  to  other  employees  because 
they  couldn’t  find  the  answer  themselves. 

“We  made  a  very  robust  channel,  but  all 
the  other  channels  lagged  behind,  and  we 
were  putting  our  associates  at  a  disadvan¬ 
tage,”  says  Managing  Director  of  Informa¬ 
tion  Technology  Tim  Buckley.  “Clients  had 
an  enterprise  view  of  their  data,  more  robust 
capabilities  and  a  more  efficient  channel.” 
In  short,  customers  had  a  clearer,  more  com¬ 
prehensive  view  of  their  holdings  through 
the  website  than  did  the  Vanguard  employ¬ 
ees  who  were  supposed  to  be  helping  them. 

Something  had  to  change.  “We  were  star¬ 
ing  at  a  large  investment  to  replace  [the  crew 
members’]  platform,”  says  Jeff  Dowds,  prin¬ 
cipal  of  Vanguard  Direct  Investor  Systems 
and  project  lead  for  the  integration  effort. 
Many  in  Vanguard’s  shoes  would  have 
heeded  the  siren  call  of  CRM  vendors.  As 
Dowds,  Buckley  and  the  late  Bob  DeSte- 
fano,  Vanguard’s  longtime  CIO  until  his 
death  in  2001,  stared  at  the  numbers, 
though,  a  radically  different  approach  sud¬ 
denly  seemed  to  make  sense.  After  much 
internal  debate,  they  persuaded  themselves 
and  Brennan  that  the  customer  service 
employees  should  use  the  same  Web  inter¬ 
face  that  had  lured  so  many  of  its  customers 
online  in  the  first  place. 

IF  IT’S  GOOD  FOR 
THE  CUSTOMER... 

It  was  a  brilliantly  simple  solution.  Using  the 
same  interface  internally  and  externally 
would  result  in  channel  parity  and  seamless 
customer  service,  and  let  Vanguard  avoid 
the  expense  of  acquiring  and  integrating  a 
third-party  CRM  system.  It  would  also  yield 
jaw-dropping  annual  savings  by  letting  all 
channels  capitalize  on  Vanguard.com’s  use 
of  a  single  enterprise  database  and  its 
enablement  of  straight-through  processing. 
That  meant  any  change  entered  online 


would  be  made  automatically  in  the  appro¬ 
priate  back-office  systems  with  no  human 
intervention.  Buckley  jokes  that  Dowds 
pushed  hard  for  the  idea  out  of  pure  self- 
interest,  since  managing  only  one  system 
would  make  his  life  easier. 

This  decision  ultimately  led  Vanguard  to  a 
three-tiered  architecture:  the  internal/exter¬ 
nal  Web  interface  linked  to  standard  midtier 
business  objects  running  on  a  single  enter¬ 
prise  database  for  all  channels.  “People  made 
the  case,  and  it  seemed  to  me  so  obvious 
after  the  fact  that  I  wondered  why  didn’t  I 
think  of  that,”  says  Brennan.  “I  wish  I  had.” 

The  key  reason  for  using  the  Web  inter¬ 
face  internally,  in  Brennan’s  view,  is  that  it 
lets  Vanguard  offer  seamless  customer  serv¬ 
ice,  regardless  of  which  channel  (or  chan¬ 
nels)  a  customer  uses.  “It  gives  us  clarity 
internally  and  externally  so  the  crew  mem¬ 
ber  and  client  are  on  the  same  footing,”  he 


says.  “That’s  very  important.”  Using  the 
same  interface  makes  it  easier  for  employ¬ 
ees  to  talk  with  customers  about  what 
they’ve  done  online.  Since  they  know  the 
website  so  well,  employees  are  also  more  apt 
to  encourage  customers  to  use  it.  When  cus¬ 
tomers  are  handling  mundane  tasks  like 
address  changes  online  (which  lowers  Van¬ 
guard’s  costs),  customer  service  reps  can 
devote  more  of  their  phone  time  to  higher- 
value  conversations  about  investments. 

“There’s  a  benefit  for  everybody  if  the  rou¬ 
tine  stuff  happens  on  the  Web  and  the  value- 
added  happens  with  humans  accentuated  by 
the  Web,”  says  Brennan.  Vanguard’s  cus¬ 
tomers  are  indeed  gravitating  to  the  Web. 
Buckley  says  that  in  1999,  Vanguard  handled 
100,000  calls  a  day.  Today,  it  gets  40,000 
calls  daily — and  150,000  log-ons  to  Van- 
guard.com.  More  than  half  of  Vanguard’s 
transactions  are  now  conducted  online. 
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Using  the  Web  interface  as  the  corporate  por¬ 
tal  also  changes  the  focus  of  Vanguard’s  train¬ 
ing  efforts.  Because  the  Web  interface  was 
designed  to  be  intuitive  (after  all,  customers 
don’t  get  trained),  Vanguard  no  longer  has  to 
subject  employees  to  four  to  six  weeks  of  train¬ 
ing  on  the  old  client/server  systems.  “You  don’t 
waste  your  time  training  people  on  systems,” 


says  Buckley.  “Instead  you  train  them  on 
investments,  which  is  where  we  want  to  spend 
the  time.”  Having  an  intuitive  interface  also 
helps  when  call  volumes  and  wait  times  spike 
and  Vanguard  activates  its  so-called  Swiss 
Army,  calling  on  all  qualified  personnel  (from 
the  CEO  on  down)  to  help  man  the  phones. 

...IT’S  GOOD  FOR  THE 
EMPLOYEE 

Ironically,  the  very  intuitiveness  of  the  cus¬ 
tomer  Web  interface  made  the  customer 
service  employees  wary.  How  could  a  sys¬ 
tem  designed  for  customers  be  robust 
enough  for  on-the-job  use  eight  to  10  hours 
a  day?  Dowds  and  his  team  overcame  that 
reluctance  by  turning  the  customers’  confir¬ 
mation  page  into  a  power  user  page. 
Employees  can  go  directly  to  the  summary 
page  that  lets  customers  review  and  edit 
information  before  they  confirm  a  transac¬ 
tion.  The  internal  version  of  the  website 
also  includes  two  CRM  tools:  an  extensive 
contact  history  (customers  only  see  an 
abbreviated  version)  and  a  coaching  tool 
from  Epiphany  that  helps  employees  sug¬ 
gest  relevant  tools  and  services,  such  as  the 
website’s  personal  financial  planning  tool, 
for  a  given  customer. 

Extensive  usability  testing  confirmed  that 
giving  employees  access  to  everything  they 
need  to  help  clients  through  a  single  Web 
interface  would  make  their  lives  easier.  As 
of  May,  when  90  percent  of  the  Web  desk¬ 
tops  were  scheduled  to  be  fully  rolled  out 


internally,  toggling  between  systems  became 
a  thing  of  the  past.  By  the  end  of  2004, 
Dowds  and  his  team  will  have  retired  at 
least  12  client/server  applications. 

By  turning  the  confirmation  page  into  a 
power  user  page  and  adding  the  two  CRM 
tools,  Vanguard  was  able  to  reuse  about 
80  percent  of  the  Vanguard.com  interface 


internally.  Besides  saving  the  expense  of 
buying  and  integrating  a  third-party  CRM 
system,  it  greatly  simplifies  internal  system 
maintenance.  Dowds  and  his  team  dis¬ 
courage  requests  to  modify  the  internal 
page  because  each  variation  must  be 
designed,  programmed  and  tested.  “The 
moment  that  there’s  the  outside  page  and 
an  inside  variant  of  that,  you  lose  the  merit 
of  a  common  user  interface,”  he  says. 
“There  must  be  an  absolutely  justifiable 
reason  for  variations.” 

PAINLESS  PROCESSING 

One  of  the  most  tantalizing  benefits  of  using 
the  Web  interface  internally  is  that  other 
channels  benefit  from  the  straight-through 
processing  built  into  Vanguard.com.  Al¬ 
though  an  early  version  of  the  site  seemed 
fully  automated,  customer  data  still  had  to 
be  printed  out,  which  triggered  a  five-step 
manual  process  to  reenter  data  into  back¬ 
end  systems  before  processing  a  transaction. 
“It  would  have  been  no  different  than  if  you 
had  sent  it  to  us  through  the  mail,”  says 
Dowds.  “From  a  processing  perspective,  the 
effort  inside  Vanguard  was  the  same.” 

In  expanding  the  Vanguard.com  site, 
Buckley’s  team  developed  objects  that  let 
Vanguard  fastidiously  apply  standard  rules 
at  the  point  of  data  entry.  That  way,  infor¬ 
mation  customers  type  online  goes  directly 
into  the  back-end  systems  with  no  employee 
intervention.  Similarly,  when  employees 
enter  data  through  the  Web  interface,  it  too 


goes  straight  through  instead  of  triggering  a 
manual,  back-office  process. 

That  process  eliminates  both  the  hefty 
labor  cost  of  having  employees  rekey  data 
and  the  inherent  opportunity  to  introduce 
errors.  Dowds  says  that  98  percent  to 
99  percent  of  Web-originated  traffic  requires 
no  support  from  a  Vanguard  employee.  “It’s 
just  a  very  cheap  way  to  do  business,”  he 
says.  “Whenever  we  add  new  functions  and 
features,  it’s  a  guiding  principle  in  our  design 
approach  that  it  has  to  go  straight  through. 
It’s  just  the  way  we  do  things  now.” 

Reusing  the  middle  tier  of  standard  busi¬ 
ness  objects  initially  developed  for  the  Web 
makes  maintaining  channel  parity  easier  and 
less  expensive.  Since  all  channels  use  the 
same  objects,  Buckley’s  team  can  add  a  new 
feature  or  make  a  change  once  in  an  object, 
and  that  change  will  be  reflected  across  all 
channels.  Although  Vanguard’s  interactive 
voice  response  system  can’t  make  use  of  the 
Web  user  interface,  it  too  will  eventually  be 
tied  in  to  the  standard  business  objects. 

ONE  BIG  DATABASE 

The  introduction  of  transaction  capability 
on  Vanguard.com  also  marked  the  begin¬ 
ning  of  the  company’s  push  toward  an  enter¬ 
prise  database.  Since  a  plethora  of  systems 
and  databases  had  sprung  up  to  support 
Vanguard’s  different  lines  of  business,  a  sin¬ 
gle  customer’s  data  might  have  been  stored 
in  10  different  spots.  That  data  was  often 
defined  differently  from  one  database  to  the 
next,  necessitating  a  lot  of  what  Buckley 
calls  “non-value-added  reconciliation”  be¬ 
tween  databases. 

The  effort  to  eliminate  disparate  data¬ 
bases  is  expensive  and  not  always  visible, 
Buckley  says.  It  was  well  worth  the  hassle 
though,  he  adds,  since  the  existing  tangle  of 
databases  was  expensive  to  keep  consistent 
and  accurate.  So  as  the  IT  team  expanded 
Vanguard.com,  it  also  created  a  compre¬ 
hensive  customer  database  that  would  be 
the  single  repository  of  all  Vanguard’s  cus¬ 
tomer  data. 

Identifying  consistent  definitions  for  some 
4,000  data  points  wasn’t  easy.  After  all,  the 


Having  an  intuitive  interface  helps  when  call 
volumes  and  wait  times  spike  and  Vanguard 
activates  its  so-called  Swiss  Army,  calling  on  all 
qualified  personnel  to  help  man  the  phones. 
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businesspeople  who  built  those  disparate 
systems  think  about  customers  differently. 
Still,  Dowds  doesn’t  regret  the  hours  spent 
hammering  out  a  consensus.  As  a  result  of 
all  that  wrangling,  Vanguard  is  in  the 
process  of  retiring  12  databases,  which 
makes  for  more  consistent,  seamless  and 
faster  service  for  clients  and  employees  alike. 

The  single  database  has  cut  response  time 
for  Web-based  clients  in  half,  Dowds  says. 
Employees’  response  time  has  been  slashed 
by  60  percent  to  70  percent.  The  task  of 
updating  and  maintaining  databases  is  also 
exponentially  easier.  With  fewer  systems  and 
databases  to  administer,  Vanguard  has  been 
able  to  trim  its  roughly  800-person  IT  staff 
by  about  75  through  attrition.  “Four  to  five 
years  out,  we  will  have  less  software  to  sup¬ 
port  and  less  data  to  support,”  says  Dowds. 
“The  fact  that  we  have  to  manage  this  data 
once — rather  than  10  times — that’s  an  annu¬ 
ity  for  life.  A  little  painful  to  get  there,  but....” 


ENDING  BALANCE 

Although  Vanguard  undertook  this  integra¬ 
tion  project  primarily  to  improve  customer 
service  and  achieve  channel  parity,  the  proj¬ 
ect  is  reaping  impressive  savings.  “In  cost 
savings  alone,  this  will  have  paid  for  itself 
in  three  to  three  and  a  half  years,”  says 
Buckley.  Savings  from  straight-through  pro¬ 
cessing  and  lower  systems  maintenance  costs 
are  expected  to  add  up  to  $30  million  annu¬ 
ally.  Integrating  systems  is  also  likely  to  gen¬ 
erate  revenue.  By  improving  service, 
Vanguard  can  increase  customer  loyalty,  an 
important  advantage  in  the  turbulent  mar¬ 
ket.  Early  results  are  so  promising  that  Buck- 
ley  says  he  should  have  done  it  sooner.  “It 
would  have  been  great  to  do  it  concurrently 
as  we  built  out  the  Web,”  he  says. 

Although  the  price  tag  on  this  project  was 
undeniably  large,  Brennan  believes  it’s 
been  a  wise  investment.  While  Vanguard 
wouldn’t  specify  the  overall  costs,  with  the 


annual  operating  cost  savings  of  $30  mil¬ 
lion,  the  internal  rate  of  return  is  more  than 
20  percent.  “There  are  a  ton  of  benefits,  but 
it’s  not  cheap.  You’ve  got  to  be  pretty  confi¬ 
dent  that  you’re  going  to  get  a  good  ROI 
on  this,”  he  says.  “I’m  a  numbers  guy,  and 
I’m  very  confident  that  we’re  already  getting 
very  good  ROI  on  the  Web  broadly  and  on 
the  integration  effort  as  well.  The  integrated 
channel  concept  is  absolutely  core  to  who 
we  are,  and  will  be  forever.”  HE! 


Share  your  integration  tales  with  Senior  Editor  Alice 
Dragoon  at  adragoon@cio.com  and  Features  Editor 
Lafe  Low  at  ltow@cio.com. 

cio  store  Vanguard  made  CRM  work 

for  its  customers  and  its  internal  staff.  Now 
you  can  bend  CRM  to  your  will  with  our 
latest  CIO  Focus  guide-CRM:  MAXIMIZING 
REWARDS,  MINIMIZING  RISK.  Find  it  at 
www.theciostore.com. 
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when  results 
really  matter. 

Project  Management-the  pi  i  way! 


The  world  runs  on  project  management. 

From  developing  vaccines  to  hosting  the  Olympics 
to  converting  twelve  different  currencies  to  the  Euro. 

Project  management  keeps  the  pipeline  full,  balance 
sheets  healthy,  R&D  on  track,  and  shareholders  happy. 

And  the  place  to  turn  for  everything  you  need  to 
know  about  project  management  is  the  Project 
Management  Institute. 

To  learn  more  about  how  to  get  the  job  done 
when  results  really  matter,  visit  PMI — the 
acknowledged  world  leader  in  project  management — 
at  www.pmi.org/ciomag.htm 


Building  professionalism  in  project  management.® 


Project  Management  Institute 

Four  Campus  Boulevard 
Newtown  Square,  PA  19073-3299  USA 
Phone:  +1-610-356-4600 
Fax:  +1-610-356-4647 
www.pmi.org/ciomag.htm 

©  2003  Project  Management  Institute,  Inc.  All  rights  reserved. 

“PMI",  the  PMI  logo,  and  “Building  professionalism  in  project  management.”  are 
registered  trademarks  of  the  Project  Management  Institute,  Inc. 
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Smooth  Talkers 

Speech  integration  technology  gives  customers  and  employees 
convenient  access  to  hack-end  data  by  john  Edwards 


Edited  by  Christopher 
Lindquist.  Send  your 
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for  future  columns  to 
clindquist@cio.com. 


TO  BOB  DUPONT,  vice  president  of  reserva¬ 
tions  for  Dollar  Thrifty  Automotive  Group, 
speech  integration  sounds  like  success.  That’s 
because  the  car  rental  company  is  using  the 
technology  to  both  improve  customer  service 
and  trim  costs. 


Speech  integration  technology  is  nothing  new, 
as  any  telephone  caller  who  has  ever  barked  back 
responses  to  a  seemingly  endless  series  of  voice 
prompts  can  testify.  But  an  improved  generation 
of  speech  integration  software,  based  on  more 
powerful  processors  and  emerging  Internet- 


Voice  integration. ..Virtual  displays. ..Open  source 
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Business  is  no  longer  confined 
four  walls.  Today,  people  need  to  access 
and  exchange  information  -  anytime,  anywhere.  Thanks  to  Siemens 

Next  Generation  Internet  solutions,  they  can.  From  cellular  phones  to 

% 

business  communication  systems  to  optical  networks,  we  provide  the 
tools  that  make  Mobile  Business  a  reality.  As  a  leader  in  everything 
from  information  and  communications,  to  healthcare  to  industry  and 
automation,  Siemens  is  in  a  unique  position  to  make  all  our  lives  better. 
When  you  have  450,000  minds  working  together  all  around  the  globe, 
including  75,000  right  here  in  the  U.S.,  innovative  solutions  emerge. 
And  that’s  what  it  takes  to  change  the  world. 


SIEMENS 

Global  network  of  innovation 


©  Siemens  Corporation,  2002 
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focused  standards,  promises  to  make  the 
technology  more  useful  and  cost-effective. 

Until  recently,  organizations  tended  to 
shy  away  from  speech  integration  because 
of  the  technology’s  complexity  and  cost. 
“I  had  one  client  who  had  60  people  on 
its  [speech  integration]  project,”  says  Eliz¬ 
abeth  Ussher,  Meta  Group’s  vice  president 
of  global  networking  strategies  who  cov¬ 
ers  speech  technologies. 

Today,  preconfigured  speech  templates, 
drop-in  objects  and  other  packaged  tools 
make  speech  integration  development  less 


rates,”  says  DuPont.  “They  aren’t  inter¬ 
ested  in  making  a  reservation;  they  just 
want  to  get  information  for  comparison 
purposes.” 

To  free  its  call  center  staff  from  the 
burden  of  handling  routine  data  lookups, 
Dollar  Thrifty  installed  SpeechWorks 
International’s  software  at  its  Thrifty 
division.  The  system  lets  callers  check 
rental  rates  and  availability  at  airport 
locations  by  talking  with  a  virtual  call 
center  agent.  “It’s  a  very  natural,  realistic 
interchange,”  says  DuPont.  The  software 


Today,  preconfigured  speech  templates, 
drop-in  objects  and  other  packaged  tools 
make  speech  integration  development 
less  burdensome. 


burdensome.  Hardware  improvements, 
particularly  speedier  processors,  also  help 
make  speech  integration  a  more  practical 
technology.  “Speech  recognition  is  now 
very  widely  deployable,”  says  Ussher.  “I’m 
seeing  clients  with  a  return  on  their  invest¬ 
ment  within  three  to  six  months.” 

Yet  another  reason  for  increased  inter¬ 
est  in  enterprise  speech  integration  can 
be  found  in  the  almost  exponential  pro¬ 
liferation  of  mobile  phones,  PDAs  and 
other  portable  wireless  devices.  Speech 
input/output  is  an  attractive  alternative 
to  cramped  keyboards  and  miniscule  dis¬ 
plays.  “If  I’m  on  my  mobile  phone  while 
driving  my  car,  I’m  not  going  to  push 
buttons  for  my  account  number,”  says 
Ussher.  “I’m  going  to  wait  for  an  agent — 
living  or  virtual.” 

Calling  for  Cars 

Dollar  Thrifty  is  using  speech  integration 
to  handle  some  of  the  more  than  1  mil¬ 
lion  calls  it  receives  each  year  from  “rate 
shoppers” — bargain  hunters  who  phone 
several  different  car  rental  companies  in 
search  of  the  best  deal.  “Many  of  the  folks 
who  call  are  just  interested  in  checking 


also  automatically  adapts  to  unique 
requirements,  such  as  providing  person¬ 
alized  rates  for  members  of  Thrifty’s  loy¬ 
alty  program. 

After  checking  rates  and  availability, 
callers  who  decide  to  make  a  reservation 
are  seamlessly  transferred  to  a  live  agent. 
A  screen  “pop”  automatically  appears  on 
the  agent’s  display,  presenting  all  the  infor¬ 
mation  the  caller  provided  during  the 
speech  interface  dialogue.  DuPont  esti¬ 
mates  that  35  percent  of  calls  to  the  com¬ 
pany’s  toll-free  number  go  through  the 
speech  integration  system. 

And  speech  integration  has  not  hurt 
Thrifty’s  conversion  rate — the  number  of 
people  calling  for  a  quote  who  ultimately 
make  a  reservation,  says  DuPont. 

Deploying  the  system  wasn’t  especially 
difficult,  he  adds.  “Just  the  normal  tweak¬ 
ing  of  the  application  and  getting  the 
voice  recognizer  to  work  better.  Once  we 
got  through  the  first  90  to  120  days,  it 
became  apparent  that  we  had  a  very  solid 
application.”  Uptime  has  been  more  than 
99  percent,  which  is  a  critical  factor,  says 
DuPont.  “If  it  were  to  go  down,  we  cer¬ 
tainly  would  be  understaffed.” 


Voice  Integration 
Systems 

Anticipated  benefits  Faster 
and  easier  access  to  back-end  data; 
24/7  unattended  operation;  fewer 
operators  and  caii  center  agents; 
support  for  PC,  mobile  phone  and 
wireless  device  users;  and  short¬ 
ened  calls. 

Hurdles  Planning  and  designing 
an  implementation;  integrating 
with  existing  phone  systems;  and 
fine-tuning  the  voice  recognition 
engine  to  work  with  the  widest  pos¬ 
sible  range  of  voices  and  phone¬ 
line  conditions. 

Primary  markets  Call  centers  and 
enterprise  communications  centers. 

Cost  $50,000  to  more  than 
$70,000  for  basic  directed  dia¬ 
logue  systems;  $80,000  to  more 
than  $500,000  for  full-featured 
natural  language  environments. 

Vendors 

Microsoft  www.microsoft.conr. 
Microsoft  Speech  Software 
Development  Kit— a  full  speech 
platform  is  currently  in  technical 
preview. 

IBM  www.ibm.com: 

IBM  WebSphere  Voice  Response 
software. 

Nuance  www.nuance.com: 

Nuance  Voice  Platform  software. 

SpeechWorks  International 

www.speechworks.com: 
SpeechWorks  software. 

ScanSoft  www.scansoft.com: 
SpeechPearl  software. 

Phonetic  Systems 

www.phoneticsystems.com: 

Voice  Search  Engine  software. 


Natural  Language 

Enterprises  looking  into  speech  integra¬ 
tion  face  two  basic  technology  choices. 
The  oldest  and  simplest  type  of  speech 
integration — “directed  dialogue”  prod- 
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|  aren’t  just  bits  of  data 


Jack  Shields,  President 
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“When  someone  needs  an  MRI,  their  minds  are  on  everything  but  going  a  long  way  to 
get  one.  We  have  centers  all  over  New  England,  to  reach  more  people,  make  them  more  comfortable.  Our 
operations,  our  data  are  all  centralized — everything  comes  to  Brockton.  Our  network  solutions  come  from 
Verizon.  Why?  Speed  for  sure.  Probably  more  significant  is  reliability.  Obviously  that’s  very  important  to  us. 
In  our  business,  data  is  people’s  health  and  lives,  not  ones  and  zeros.” 


How  can  Verizon  help  solve  your  data  needs? 
Visit  us  at  verizon.com/data 


verizon 


Make  progress  everyday 
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ucts — prompts  callers  with  a  series  of 
questions  and  recognizes  only  a  limited 
number  of  responses,  such  as  “yes”  and 
“no,”  specific  names  and  numbers. 

A  new  and  more  sophisticated  ap¬ 
proach — “natural  language” — to  speech 
integration  handles  complete  sentences  and 
aims  to  engage  callers  in  lifelike  banter  with 


a  virtual  call  center  agent.  The  technology 
is  also  more  forgiving  of  word  usage.  “If  a 
customer  calls  Thrifty  and  asks  about  rates 
from  JFK  Airport  in  New  York,  they 
might  say  ‘JFK’  or  ‘John  F.  Kennedy’  or 
‘Kennedy  Airport,”’  says  Speech  Works 
cofounder  and  CTO  Michael  Phillips. 
“The  system  has  to  be  prepared  for  the 
different  variations  that  might  be  used.” 

Directed  dialogue  tools,  while  less 
expensive  than  natural  language  systems, 
suffer  from  their  limited  recognition  capa¬ 
bilities.  As  a  result,  they  are  mostly  used 
for  simple  applications,  such  as  automated 
switchboard  attendants  or  credit  card  acti¬ 
vators.  Natural  language  systems,  such  as 
the  type  used  by  Dollar  Thrifty,  have  a 
wide  range  of  applications,  including 
product  and  service  ordering,  telebanking, 
and  travel  reservation  booking. 

A  pair  of  emerging  technologies — 
VoiceXML  and  Speech  Application  Lan¬ 
guage  Tags  (SALT) — are  also  helping  to 
advance  voice  integration.  Both  specifica¬ 
tions  rely  on  Web  technology  to  make  it 
easier  to  develop  and  deploy  speech  inte¬ 
gration  applications. 

VoiceXML  is  an  XML  extension  for 
creating  telephone-based,  speech-user  inter¬ 
faces.  The  specification  lets  developers  cre¬ 
ate  directed  dialogue  speech  systems  that 
recognize  specific  words  and  phrases,  such 
as  names  and  numbers.  That  style  of  inter¬ 
face  is  well  suited  to  callers  who  have  no 
screen  from  which  to  select  options. 


SALT,  on  the  other  hand,  provides 
extensions  to  commonly  used  Web-based 
markup  languages,  principally  HTML 
and  XHTML.  It  makes  such  applications 
accessible  from  GUI-based  devices,  includ¬ 
ing  PCs  and  PDAs.  A  user,  for  example, 
might  click  on  an  icon  and  say,  “Show  me 
the  flights  from  San  Francisco  to  Boston 


after  7  p.m.  on  Saturday,”  and  the  browser 
will  display  the  flights. 

Both  specifications  aim  to  help  devel¬ 
opers  create  speech  interfaces  using  famil¬ 
iar  techniques.  “You  don’t  have  to  reinvent 
the  wheel  and  program  a  new  interface  to 
get  speech  recognition  access  to  your 
data,”  says  Brian  Strachman,  a  speech 
recognition  analyst  at  technology  research 
company  In-Stat/MDR. 

Speaking  Internally 

While  most  people  think  of  speech  inte¬ 
gration  in  terms  of  customer  self-service, 
the  technology  can  also  be  used  internally 
to  connect  an  enterprise’s  employees  and 
business  partners  to  critical  information. 
Aircraft  mechanics,  for  example,  can  use 
speech  integration  to  call  up  technical  data 
onto  a  PDA  or  notebook  screen.  Likewise, 
inventory  takers  can  enter  data  directly 
into  databases  via  speech-enabled  PDAs, 
without  ever  using  their  hands. 

The  Bank  of  New  York,  for  example, 
has  tied  speech  recognition  into  its  phone 
directory  and  human  resources  systems. 
Using  technology  supplied  by  Phonetic 
Systems,  the  bank  operates  an  automated 
voice  attendant  that  lets  callers  connect  to 
a  specific  employee  simply  by  speaking  that 
person’s  name.  But  in  the  event  of  a  major 
emergency  that  requires  entire  departments 
to  move  to  a  new  location,  the  employees 
can  call  into  the  system  to  instantly  create 
updated  contact  information.  The  infor¬ 


mation  then  becomes  available  to  anyone 
calling  the  bank’s  attendant. 

The  speech-based  approach  is  designed 
to  help  bank  employees  resume  their  work 
as  soon  as  possible,  even  before  they  have 
access  to  computers.  “The  automated  atten¬ 
dant  was  already  connected  to  our  back¬ 
end  systems,”  says  Jeffrey  Kuhn,  senior  vice 
president  of  business  continuity  and  plan¬ 
ning.  “We  simply  expanded  the  number  of 
data  fields  that  are  shared  between  the  Pho¬ 
netic’s  product,  our  HR  system  and  our 
phone  directory  system.” 

The  biggest  challenge  Kuhn  faced  in 
deploying  the  technology  was  getting  it  to 
mesh  with  the  bank’s  older  analog  PBX 
systems.  That  problem  was  eventually 
solved,  although  the  interface  ports  on  the 
old  PBX  units  must  now  be  manually  set, 
which  is  a  minor  inconvenience. 

Bottom-Line  Benefits 

Speech  integration’s  primary  benefit  for 
callers  is  convenience,  since  the  technol¬ 
ogy  eliminates  the  need  to  wait  for  a  live 
agent.  Problems  handling  foreign  accents, 
minor  speech  impediments  and  quirky 
word  pronunciations  are  largely  fading 
away  as  software  developers  give  their 
products  the  capability  to  recognize  and 
match  a  wider  array  of  voice  types. 
“Every  four  to  five  years,  speech  tech¬ 
nologies  improve  by  a  factor  of  two,”  says 
Kai-Fu  Lee,  vice  president  of  Microsoft 
Speech  Technologies. 

Dollar  Thrifty’s  DuPont  says  his  com¬ 
pany’s  internal  research  has  found  an  end 
user  satisfaction  level  of  around  93  percent. 
“It  either  met  or  exceeded  their  need  to  get 
information,  and  they  had  an  improved 
perception  of  our  company,”  he  says. 

For  enterprises,  speech  integration’s 
bottom-line  benefits  include  cheaper  24/7 
user  support  and  data  access.  DuPont  says 
his  system  paid  for  itself  in  less  than  a  year; 

cio.com  Read  Chris  Lindquist’s 
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Despite  the  potential  benefits,  CIOs 
shouldn’t  view  speech  integration  as  a 
panacea  to  their  rising  call  center  costs. 
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lopping  about  45  cents  off  the  cost  of  each 
incoming  call.  Bank  of  New  York’s  Kuhn 
estimates  that  his  system  handles  the  work 
of  five  full-time  employees. 

Despite  the  potential  benefits,  CIOs 
shouldn’t  view  speech  integration  as  a 
panacea  to  their  rising  call  center  costs. 
The  technology  itself  requires  constant 
attention,  which  adds  to  its  base  cost  and 
detracts  from  potential  savings.  “It’s  labor 
intensive,”  says  Meta  Group’s  Ussher.  “It’s 
not  like  a  washing  machine  that  runs  on  its 
own.  It’s  a  technology  that  requires  con¬ 
stant  tweaking,  pushing  and  updating.” 

DuPont  warns  potential  adopters  not  to 
consider  speech  integration  as  solely  an  IT 
issue.  Since  the  technology  affects  a  wide 
range  of  business  processes,  he  believes 
that  it’s  vital  to  gamer  enterprisewide  sup¬ 
port.  “I  would  certainly  recommend  get¬ 
ting  all  the  stakeholders  involved,”  he  says. 
“When  we  put  our  system  together,  we 
involved  people  from  many  disciplines, 
including  IT,  HR,  finance  and  telecom,  as 
well  as  the  reservations  group.” 

While  speech  integration  will  certainly 
become  more  capable  and  self-sufficient 
in  the  years  ahead,  few  observers  believe 
the  technology  will  ever  fully  replace  liv¬ 
ing,  breathing  call  center  agents.  In- 
Stat/MDR’s  Strachman  says  that  speech 
integration  will  primarily  be  used  to  elim¬ 
inate  call  center  grunt  work,  such  as  the 
recitation  of  fares  and  schedules,  and  to 
give  end  users  a  new  way  to  access  criti¬ 
cal  data.  The  handling  of  complex  issues, 
such  as  technical  support,  will  probably 
always  require  access  to  a  live  expert. 
“For  call  center  agents  to  stay  employed, 
they’re  going  to  have  to  be  more  highly 
skilled  and  trained  than  they  are  now,” 
says  Strachman. 

That  suits  Dollar  Thrifty’s  DuPont  just 
fine.  “We  want  our  agents  to  do  something 
more  than  just  quote  rates,”  he  says.  “You 
can  get  a  system  to  do  that,  and  we  did.”  ■ 


John  Edwards  is  a  freelance  writer  based 
in  Arizona.  He  can  be  reached  at  john@ 
john-edwards.com. 
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UNDER  DEVELOPMENT 
Display  tech 

Magic  Window 

DID  THAT  MANNEQUIN  JUST  MOVE?  It  might  not  be  your  imagination.  Hitachi's  new 
AirSho  imaging  system  projects  dynamic  pictures  onto  nearly  invisible  glass  surfaces, 
such  as  a  storefront  window. 

The  system  displays  full-motion  images— generated  by  a  PC  or  DVD  player— that  give 
the  illusion  of  appearing  out  of  nowhere.  It  uses  a  floor-  or  ceiling-mounted  projector  that 
shines  video  onto  a  photopolymer-resinous  Plexiglas  display.  The  40-  or  60-inch  diago¬ 
nal  screen  sticks  to  the  window's  surface  with  water— like  a  decal.  “It’s  similar  to  a  screen, 
but  you  can  actually  see  right  through  it  while  an  image  is  appearing,"  says  Ray  Soltys, 
a  spokesman  for  Hitachi  America’s  Digital  Media  Division. 

Stores,  shopping  malls,  travel  agencies,  banks,  airports  and  a  variety  of  other  busi¬ 
nesses  can  use  the  system  for  advertising  and  informational  purposes.  “We’ve  seen  a  lot 
of  interest  from  retail  chains  that  want  the  ability  to  control  and  update  in-store  advertis¬ 
ing  from  a  central  location  via  networked  PCs,"  says  Soltys. 

The  system  is  a  slick  combination  of  cutting-edge  materials  and  optical  engineering. 
The  screen  consists  of  a  60-nanometer  film  of  photopolymer  resin  glued  to  a  piece  of 
Plexiglas.  The  film  itself  is  laser  etched  to  create  tiny  prisms.  Each  prism  must  be  angled 
precisely,  and  the  Plexiglas  must  contain  no  air  bubbles  so  that  the  projected  light  can 
follow  a  path  directly  into  the  viewers’  eyes. 

The  display  doesn’t  reflect  sunlight,  but  a  bright  day— or  powerful  external  lighting- 
can  dim  images.  Also,  like  most  other  projection  systems,  AirSho  provides  diminished 
visibility  to  viewers  standing  at  the  screen's  sides.  “The  best  viewing  angle  is  dead-on, 
looking  straight  at  it,”  says  Soltys. 

AirSho  is  priced  at  $5,963  and  $8,330  for  the  40-  and  60-inch  models,  respec¬ 
tively.  For  some  retailers,  that  will  be  a  small  price  to  pay  to  catch  the  attention  of 
potential  customers. 

-John  Edwards 
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WebSphere,  software 


See  old  apps  combine  with  nevwapps. 
See  customers  connect  with  partners. 
See  today’s  stuff  click  with  tomorrow’s 


WebSphere  Business  Integration  is  far  and  away  the  leading  integration  software  for  the  on  demand 
era.  Open  and  flexible,  WebSphere  lets  you  model,  integrate  and  manage  all  of  your  business 
processes.  WebSphere  delivers  an  infrastructure  that  quickly  responds  to  change,  meeting  business 
demands,  on  demand.  For  an  Integration  InfoKit  and  case  studies,  visit  ibm.com/websphere/seeit 
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Summary  2003."  ©2003  WinterGreen  Research,  Inc.  £  2003  IBM  Corporation  All  fights  reserved 
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PUNDIT 

Open-source  software 

The  End  of  Idealism 


The  grassroots  development  model  has  matured ,  but  open 
source  may  now  be  facing  its  worst  growing  pains 


WHEN  LINUS  TORVALDS  SAT  DOWN  in 

1991  to  write  a  version  of  Unix  that  would 
run  on  Intel  chips,  he  probably  didn’t  think 
too  much  about  creating  a  whole  new  way 
to  develop  and  maintain  software.  Yet  the 
act  of  opening  the  code  to  anyone  inter¬ 
ested  and  willing  to  make  a  contribution 
has  had  a  revolutionary  impact. 

The  concept  of  software  as  a  public 
good  wasn’t  invented  by  Linus  (that  honor 
probably  goes  to  Richard  Stallman  with 
the  publication  of  the  GNU  Manifesto  in 
1985),  nor  was  Linux  the  first  open-source 
Unix  (that  would  be  Minix,  developed  by 
Andrew  Tanenbaum  in  1987).  However, 
the  creation  of  a  practical  and  effective 
process  by  which  source  code  is  shared  on 
a  noncommercial  basis  essentially  came 
from  his  efforts.  It’s  also  clear  that  his  will¬ 
ingness  to  maintain  the  essence  of  the 
open-source  process  through  his  active 
participation  has  been  critical  in  expanding 
and  maintaining  the  community. 

Fast-forward  to  2001.  Linux  is  in  the 
core  strategy  of  most  major  vendors 
(including  Hewlett-Packard,  IBM,  Intel, 
Oracle  and  Sun  Microsystems)  and  is 
increasingly  the  platform  of  choice  for 
many  server  applications.  Open-source 
development  products  (JBoss,  FreeSQL, 
Tomcat)  are  widely  available  and  in  some 
cases  (such  as  Apache)  widely  used.  There 
are  at  least  30  Linux  distributions  avail¬ 
able.  Microsoft  is  even  acting  as  though 
it’s  at  least  mildly  concerned. 

So  has  open  source  come  of  age?  Are 
we  beyond  the  idealist  and  early  adopter 
stage?  Should  corporate  users  be  looking 
seriously  at  open-source  processes  and 
products  alongside  vendor-owned  solu- 


Open-source 
software  is  free 
in  the  sense  of 
“free  speech,”  not 
“free  ride.” 

-John  Parkinson 

tions?  First  some  issues  to  consider. 

To  cast  the  open-source  discussion  as 
“free”  verses  “paid”  software  is  inaccu¬ 
rate.  Open-source  software  is  free  in  the 
sense  of  “free  speech”  (which  carries  with 
it  the  connotations  of  certain  rights  and 
obligations),  not  “free  ride”  (which  im¬ 
plies  something  for  nothing).  In  reality, 
both  approaches  result  in  cost  to  the  cus¬ 
tomer;  the  difference  is  in  where  users  first 
incur — and  then  recover — their  costs.  The 
reality  in  a  competitive  market  is  that 


users  should,  and  most  often  do,  make 
their  decisions  based  on  the  total  cost  of 
operation  and  the  return  that  they  can 
expect  on  their  investment. 

Second,  a  lot  of  the  intellectual  property 
in  Linux  is  actually  owned  by  companies 
that  never  officially  agreed  to  make  it  avail¬ 
able  under  an  open-source  license.  Most 
obvious  here  is  The  SCO  Group,  which  is 
suing  IBM  (and  threatening  to  sue  everyone 
else  who  either  distributes  or  uses  Linux) 
over  trade  secret  infringements.  But  there 
are  others,  including  Microsoft,  that  could 
do  the  same  if  they  chose. 

Third,  “open  source”  is  no  more  a  guar¬ 
antee  of  intrinsic  quality  than  “vendor 
source.”  By  my  count,  Red  Hat  issued 
more  critical  patches  to  its  Linux  distribu¬ 
tion  in  2002  than  did  Microsoft  for  the 
Windows  2000  Server. 

Finally,  some  behaviors  in  the  open- 
source  community  surfaced  because  of 
the  SCO  suit  that  should  give  us  all  pause. 
The  most  successful  open-source  move¬ 
ment  prior  to  Linux  was  the  hacker  move¬ 
ment — not  exactly  the  kind  of  folks  that 
corporate  decision-makers  want  associ¬ 
ated  with  their  platform  software.  Some 
of  these  folks  (reportedly  from  the  fringes 
of  the  open-source  community)  surfaced 
last  week  and  shut  down  the  SCO  website 
with  a  targeted  denial-of-service  attack 
that  used  knowledge  of  Linux’s  inner- 
workings  to  improve  its  effectiveness. 

Mainstream  adopters  are  generally  risk- 
adverse  and  like  well-established  ideas  and 
the  products  they  generate.  I  firmly  believe 
there  is  a  place  for  all  sorts  of  options  in 
the  technology  marketplace,  including 
Linux  and  other  open-source  software. 
Encouraging  independent  developers  is  an 
important  part  of  the  innovation  process  in 
the  software  industry;  and  widely  shared, 
adequately  protected  intellectual  property 
is  a  powerful  incentive  for  innovation.  Is 
open  source  mature  yet?  Probably  not — 
but  it’s  certainly  getting  closer.  BE! 


John  Parkinson  is  a  senior  vice  president  and 
chief  technologist  for  Cap  Gemini  Ernst  &  Young. 
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DB2  Information  Management  Software 
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See  DB2  software  connect  data 


near  and  far.  y 
See  DB2  software  connect  formats,  old  and  new. 
See  DB2  software  create  insight,  again  and  again 


DB2.  It’s  the  ultimate  po®d®p®Ml-time  information  management 


software.  You  can  now  leverage 
every  scrap  of  data,  no  matter  where  it  is,  or  what  it  is.  You  see  it  all,  as  if  it  resided  in  a  single  place. 
Insightful  and  open,  DB2  lets  you  use  and  build  on  what  you  already  have,  whether  it’s  IBM,  Oracle  c 
Microsoft®—  goodbye  “rip  and  replace.’’  For  a  DB2  Software  Information  Kit,  visit  ibm.com/db2/seei1 
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What  Lies  Ahead 


Create  a  Cutting-Edge  Culture:  Being  innovative  is  more 
important— and  more  challenging— than  ever.  How  can  you 
be  resourceful  and  forward-thinking,  even  in  tough  times? 

Invent  New  Methods  of  Showing  Value:  You’re  under  more 


pressure  to  show  the  value  of  every  IT  dollar.  Iftraditional  ROI  metrics  don’twork 
in  your  case  -make  up  your  own.  Two  of  our  winners  did.  Get  Fast  and  Flexible: 
Adapting  and  moving  quickly  on  opportunities  is  a  trait  of  truly  resourceful  orga¬ 
nizations.  Two  winners  turned  adversity  into  advantage,  developing  faster,  more 
flexible  processes.  Motivate  Employees  and  Boost  Morale:  When  the  economy 
enters  a  downward  spiral,  so  does  morale.  Our  winners  share  initiatives  that  help 
keep  their  most  important  resource  happy. 


Sponsored  by 


August  17-19, 2003  The  Broadmoor  Colorado  Springs,  CO 

To  enroll  I  800.35  i.0246  I  www.cio.com/conferences 


■  Bleeding-edge  tech:  lessons 
from  the  front  lines 

■  Ensuring  data  privacy  in  an 
access-hungry  environment 

■  TheCSO  in  you:  howto  be  your 
own  security  watchdog 

■  Buildingthe  next  generation  of 
IT  leaders 


Your  Hot 
Topics 


Gather  with  fellow 
attendees  to  discuss 
common  problems  and 
possible  solutions. 

■  Designingfor  maximum 
IT  cost  flexibility/agility 

■  Compliance  and  liability:  dealing  with  Sarbanes- 
Oxley  and  Patriot  Act  legislation 

■  Long-term  partnerships: 
negotiating  strong,  mutually 
beneficial  vendor  deals 


■  Offshore  outsourcing 

■  Navigating  the  landmines  of  mergers/acquisitions 


■  And  more! 


Executive  Mindshare  sessions 

Small  working  groups  of  CIOs 
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Bloomington  Hospital  &  Healthcare  System 

Improves  patient  care  through  a  Business-Driven  Network.™ 

In  a  hospital  environment,  networks  aren’t  mission  critical — they’re  life  critical.  That’s 
why  the  Bloomington  Hospital  &  Healthcare  System  turned  to  Enterasys  Networks 
for  a  more  secure,  robust  and  mobile  infrastructure  to  support  its  vast  operation. 

Wire-speed  performance  and  pinpoint  control  handle  diverse  application  needs,  such  as 
real-time  fetal  heart  monitoring.  Next-generation  wireless  will  allow  for  “on  the  fly” 
patient  registration  and  charting,  all  while  protecting  confidential  data. 

Physicians  and  staff  are  more  productive;  patients  receive  the  quality  care  they  deserve. 
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IBM’s  On-Demand  Reality 

By  Christopher  Koch  I  48 

Based  on  the  state  of  its  component 
technologies,  such  as  grid  computing 
and  self-healing  technology,  IBM’s 
e-business  on-demand  promises  cannot  be 
fulfilled  any  time  soon.  But  by  putting 
IBM’s  unmatched  marketing  muscle  behind 
it,  the  company  has  gotten  the  attention  of 
fearful  corporate  leaders  who  seem  all  too 
willing  to  get  the  costly  IT  mess  off  their 
books  and  into  the  hands  of  Big  Blue  as 
soon  as  possible — much  like  American 
Express  did  recently.  But  if  CEOs  buy  on- 
demand  the  same  way  they  bought  ERP 
and  CRM — over  19th  hole  cocktails  with 
consultants — the  effects  could  make  the 
bloated  expectations,  slow  progress  and 
cost  overruns  of  the  enterprise  era  look  like 
best  practices  by  comparison.  IBM  insists 
its  message  has  been  clear:  On-demand  is 
an  incremental,  long-term  vision.  But  incre¬ 
mental  isn’t  something  most  CEOs  want  to 
hear.  CIOs  who’d  like  to  keep  their  jobs  must 
manage  CEO  expectations  for  on-demand 
and  utility  computing  offerings  from  IBM, 
Sun  and  HR  They  must  separate  hype  from 
reality,  temper  the  outsourcing  urge,  pressure 
vendors  for  interoperability  and  pursue  vari¬ 
able  pricing  deals. 


“The  concept  of  a  plug- 
and-play  electric  utility 
model  for  computing  is 
appealing.  But  you  peel 
back  the  onion  even  one 
layer  and  the  analogy 
falls  apart.” 

-DAVID  DIBBLE,  EXECUTIVE  VP  OF 
TECHNOLOGY  SERVICES, 
CHARLES  SCHWAB 


Risk  Analysis  By  Scott  Berinato  I  60 

WHILE  SOME  I.T.  LEADERS  use  informal  risk  assessments  in  their  investment  decision-making, 
most  leave  this  critical  step  out,  and  very  few  do  actual  risk  analyses.  Yet  the  real  cumulative  risk 
of  investment  options  would  surprise  and  even  shock  CIOs  who  rely  on  intuition.  As  the  CIOs  at 
Raytheon,  Ryder  and  other  companies  have  found,  risk  analysis  is  an  essential  component  of  portfo¬ 
lio  management.  At  least,  CIOs  should  be  working  with  risk  analysis  templates  to  assess  the  five  core 
risks  of  software  projects:  schedule  flaws,  requirements  inflation,  staff  turnover,  specification  break¬ 
down  and  underperformance.  Well-established  statistical  tools  such  as  Monte  Carlo  and  decision 
tree  analyses  can  be  used.  Regardless  of  the  tool,  CIOs  still  need  to  craft  their  own  risk  mitigation 
strategies  and  determine  with  the  executive  team  what  level  of  risk  is  acceptable  and  what  is  not. 


HIPAA  Security  Regulations  By  Alice  Dragoon  I  70 

LESS  THAN  10  PERCENT  of  health  -care  organizations  have  implemented  the  patient  data  secu¬ 
rity  policies  and  procedures  required  by  the  federal  Health  Insurance  Portability  and  Accountability  Act 
(HIPAA),  which  was  passed  in  1996  to  standardize  and  protect  the  transmission  of  electronic  health¬ 
care  data.  The  HIPAA  Security  Rule  is  not  enforceable  until  April  2005,  but  CIOs  can’t  afford  to  wait. 
Right  now,  leading  health-care  providers  are  getting  executive  buy-in  and  crafting  a  communication 
plan  for  employees.  They  are  assessing  which  electronic  patient  data  must  be  protected,  where  all  of 
that  data  is  stored  and  where  it’s  transmitted.  They  are  auditing  security  practices  and  implementing 
authentication  technologies.  Although  data  encryption  is  not  required,  organizations  should  invest  the 
relatively  nominal  sum  to  encrypt  data  transmitted  outside  their  institutions. 


Project  Management  Offices  By  Megan  Santosus  I  82 

MORE  AND  MORE  I.T.  ORGANIZATIONS  are  creating  project  management  offices  (PMOs) 
to  provide  the  structure  and  expertise  needed  to  improve  project  success  rates.  Most  respondents  to  a 
recent  survey  of  IT  executives  have  seen  improvement  in  project  success  rates  through  their  PMOs’ 
standardized  practices  and  repeatable  processes.  At  Sun  Life  Financial’s  American  subsidiary,  three 
metrics  determine  PMO  effectiveness:  accuracy  of  cost  and  schedule  estimates  and  project  stakeholder 
satisfaction.  Thanks  to  the  PMO,  from  2001  to  2002,  these  measures  improved  25  percent,  31  percent 
and  9  percent,  respectively.  But  companies  looking  for  a  quick  reduction  in  costs  may  be  disappointed; 
74  percent  of  PMO  users  reported  no  cost  benefit.  The  type  of  PMO  must  be  compatible  with  corpo¬ 
rate  culture:  one  might  act  as  a  consultant,  providing  project  managers  in  business  units  with  train¬ 
ing,  guidance  and  best  practices;  another  lends  project  managers  to  business  units  to  work  on  projects. 


Case  Files:  Vanguard’s  Channel  Integration  By  Alice  Dragoon  I  91 

VANGUARD  HAS  ALWAYS  SERVED  its  customers  virtually.  By  1998,  customers  were  using 
Vanguard.com  to  open  and  manage  accounts.  However,  the  powerful  Web  tools  soon  outstripped  the 
systems  used  by  Vanguard  employees — a  classic  case  of  channel  disparity.  After  much  internal  debate, 
the  company  decided  that  the  customer  service  employees  should  use  the  same  Web  interface.  Such  a 
brilliantly  simple  solution  resulted  in  seamless  customer  service  and  let  Vanguard  avoid  the  expense 
of  a  third-party  CRM  system.  That  decision  ultimately  led  to  a  three-tiered  architecture:  the  inter¬ 
nal/external  Web  interface  linked  to  standard  midtier  business  objects  running  on  a  single  enterprise 
database  for  all  channels.  Identifying  consistent  definitions  for  some  4,000  data  points  wasn’t  easy, 
but  Vanguard’s  businesspeople  hammered  out  a  consensus.  Now  Vanguard  is  in  the  process  of  retir¬ 
ing  at  least  eight  databases. 
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